PDF malware analysis — malicious · 95346b613a6d3b5f

MALICIOUS

PDF

41.7 KB Created: 2020-08-31 13:01:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 80f3b622db6100b8b958208d95d75268 SHA-1: 16428d5fbf2090b5ddc2f8b70abdd289153a9344 SHA-256: 95346b613a6d3b5fb0e42816198d4268a87c501015c3f659a3ab6d757755c9df

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, disguised as a book download. This suggests a phishing or malware distribution attempt. The PDF also contains a large number of external links, characteristic of a link farm used to improve search engine ranking for malicious sites. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=sahih+al-bukhari+9+vol.set+-+arabic-english+pdf
- https://static.usrfiles.com/ugd/3de8a6_47a58e2004874a57ae4268e91590d19d.pdf
- https://static.usrfiles.com/ugd/34ec99_997223fc89e64cf9bf0dba7c3ff915c1.pdf
- https://static.usrfiles.com/ugd/d54300_aff6a546957c44f09d09b5e9238e87a8.pdf
- https://cdn.shopify.com/s/files/1/0430/8451/3440/files/febib.pdf
- https://cdn.shopify.com/s/files/1/0438/3683/3952/files/magic_lamp_gungeon.pdf
- https://cdn.shopify.com/s/files/1/0430/8077/7882/files/zetavonedawe.pdf
- https://cdn.shopify.com/s/files/1/0429/5367/0822/files/business_line_newspaper_download.pdf
- https://cdn.shopify.com/s/files/1/0430/9889/8592/files/agility_ladder_drills_football.pdf
- https://cdn.shopify.com/s/files/1/0429/8814/2743/files/99_day_banting_meal_plan.pdf
- https://cdn.shopify.com/s/files/1/0433/4410/1544/files/capitalization_worksheets_middle_school.pdf
- https://cdn.shopify.com/s/files/1/0429/1900/2268/files/75216968314.pdf
- https://cdn.shopify.com/s/files/1/0435/4444/5092/files/mopuvotolavirilurati.pdf
- https://static.usrfiles.com/ugd/4d935e_d67345692b044a2c9dca96f9a8d94f73.pdf
- https://static.usrfiles.com/ugd/b8c837_abdea59f2c09443eb3448a52612afc84.pdf
- https://static.usrfiles.com/ugd/b8c837_199c734009f14e2691292fb939ba79cd.pdf
- https://static.usrfiles.com/ugd/b8c837_7c4bcfd4219a421899f64d8d8e73d6f7.pdf
- https://static.usrfiles.com/ugd/696b8a_104740e12ff045c8855f56079393ae5b.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000055dc.bin` `c87b0ef22e703d41255697a2ecca4581dcc01fc27565fd9a88870ebeb6564ee5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x55DC	6004 bytes
`font_01_sfnt_off00006a4c.bin` `61ee1c17271f787c06c278c5bb206f63eadf3069265a3789f42cbb215e5cb849`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A4C	3152 bytes
`font_02_sfnt_off0000770c.bin` `ed7f170a911c34a2fe6cf6af379b7ed77d202df63f47292b14d561fa89872288`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x770C	9896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.