PDF malware analysis — malicious · 955afc4b53ed864b

MALICIOUS

PDF

58.2 KB Created: 2020-08-30 06:18:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a8e5b0baf020d81cc88882b99752b402 SHA-1: a1cd60e3a9a19fee4a44f060357ebc012c3beca0 SHA-256: 955afc4b53ed864b6a58a03808c84c3ea751967cb23c2b0f8ec02ed35a4b3e42

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.cc'. Additionally, it exhibits a PDF link farm heuristic, with numerous links to Shopify-hosted PDFs, suggesting an attempt to manipulate search engine results or distribute content. The document body, though heavily obfuscated, contains the malicious URL and a benign-looking PDF filename, indicating a lure. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=pembroke+corgi+chicago
- https://cdn.shopify.com/s/files/1/0437/8437/2386/files/wowozominatitusatirelavo.pdf
- https://cdn.shopify.com/s/files/1/0431/6220/6357/files/aramaic_interlinear_new_testament.pdf
- https://cdn.shopify.com/s/files/1/0430/1615/9395/files/wigunesenudanivonij.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/51031200676.pdf
- https://cdn.shopify.com/s/files/1/0431/6043/6900/files/53713140333.pdf
- https://cdn.shopify.com/s/files/1/0428/0591/9903/files/57636424819.pdf
- https://cdn.shopify.com/s/files/1/0434/0459/1271/files/robapofapejurefedetawi.pdf
- https://static.usrfiles.com/ugd/b8c837_d349c48c4b87436dbe84a3b9d143293c.pdf
- https://static.usrfiles.com/ugd/b8c837_f88b12853e9c49428d94cbfe45163158.pdf
- https://static.usrfiles.com/ugd/ed64d2_2f7c04d8282e466b92951fd4f8a489f8.pdf
- https://static.usrfiles.com/ugd/97634b_a13191bb1ce04922973832c40703e419.pdf
- https://static.usrfiles.com/ugd/0047a4_63a1af1a746f4043b86a2ffdd9f4821a.pdf
- https://static.usrfiles.com/ugd/c0fca2_0450a0da34444bf08d998c10b52d5e54.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000099b6.bin` `f978aafded2b767829bbbbdcb1de46f1e534403f1890cf8e41c09c60d65f8b69`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x99B6	4812 bytes
`font_01_sfnt_off0000aa00.bin` `5d1bb1282170b402a57c17733bdeea879f356567763f4e4181a1930430880e43`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAA00	10420 bytes
`font_02_sfnt_off0000cd8a.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCD8A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.