PDF malware analysis — malicious · 9572949807344b4d

MALICIOUS

PDF

44.3 KB Created: 2020-08-22 18:19:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 620eb971512b4bc335c5c8247fe91263 SHA-1: 79866e5d0eec8fc2e2f4132313a566caad932f72 SHA-256: 9572949807344b4db13f7322773f4ca6e55caa01bd55d179c831cdd7dcc39536

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one heuristic specifically identifying it as a 'PDF SEO Link Farm'. The primary malicious URL, 'https://ttraff.cc/pify?keyword=activated+sludge+process+pdf+nptel', is flagged as a known malicious redirector. The document body, though heavily obfuscated, appears to contain the same keyword as the malicious URL, suggesting a lure. The presence of numerous Shopify links, while many are confirmed benign, contributes to the overall link farm characteristic.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=activated+sludge+process+pdf+nptel
- http://jururagoz.kevinwiczer-actingcoach.com/uploads/1/3/1/4/131483152/4543375.pdf
- https://cdn.shopify.com/s/files/1/0437/1303/6439/files/katapugifilonox.pdf
- https://cdn.shopify.com/s/files/1/0433/1329/9620/files/34801983166.pdf
- https://cdn.shopify.com/s/files/1/0427/9071/5548/files/letopapi.pdf
- https://cdn.shopify.com/s/files/1/0429/0835/2679/files/kudoluvalakidido.pdf
- https://cdn.shopify.com/s/files/1/0429/7133/2767/files/49834898550.pdf
- https://cdn.shopify.com/s/files/1/0436/7895/7718/files/zaviwegabuvofaw.pdf
- https://cdn.shopify.com/s/files/1/0431/3199/4280/files/40836800880.pdf
- https://cdn.shopify.com/s/files/1/0430/0413/3525/files/girl_butt_crack.pdf
- https://cdn.shopify.com/s/files/1/0430/5358/0439/files/53760901738.pdf
- https://cdn.shopify.com/s/files/1/0429/9731/7783/files/gujoborikobipudavo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000062aa.bin` `3c3efa18ecf3021028fecb38e276231acd98352579bbe0b00d2ccb335cb52e30`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x62AA	5252 bytes
`font_01_sfnt_off00007497.bin` `f96bf0822a1bd5734a10278cf5d2988d0c10137d42c38832c737f1a6b6e9f7dd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7497	9812 bytes
`font_02_sfnt_off00009624.bin` `ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9624	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.