PDF malware analysis — malicious · 95cfe8fcc8a25157

MALICIOUS

PDF

46.7 KB Created: 2020-08-02 09:50:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5c017afb167880f6b2bb889c8f6c1c6d SHA-1: 9d5bd1e78cecedcf8a02ddcd5d4e38a2e24c4ea6 SHA-256: 95cfe8fcc8a251579c713a49e1762c8aa35650bfb5a206587c43924e7b3c7f75

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, forming a link farm, with a critical heuristic identifying one of these links as a redirector to known malicious infrastructure. The document body, though partially obfuscated, contains the URL 'https://ttraff.com/pify?keyword=why+did+my+cheesecake+crack', which is flagged as malicious. This suggests the primary purpose is to drive traffic to malicious sites.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=why+did+my+cheesecake+crack
- http://files.vinodbharti.com/uploads/1/3/0/7/130775649/22f91ff.pdf
- http://files.howtocakethat.com/uploads/1/3/1/4/131483083/demeligidovopozurime.pdf
- http://files.arryinseattle.com/uploads/1/3/1/4/131438397/suruni_ganowovibusujav_fedizulupak_vitur.pdf
- https://cdn.shopify.com/s/files/1/0431/7079/1573/files/furulolulikiponemivubi.pdf
- https://cdn.shopify.com/s/files/1/0431/6643/3435/files/navopetajerutajun.pdf
- https://cdn.shopify.com/s/files/1/0427/7121/8588/files/53348552231.pdf
- https://cdn.shopify.com/s/files/1/0437/1264/3223/files/discord_purple_text.pdf
- https://cdn.shopify.com/s/files/1/0431/9825/1165/files/23632107048.pdf
- https://cdn.shopify.com/s/files/1/0434/0878/5562/files/36891390349.pdf
- https://cdn.shopify.com/s/files/1/0430/8451/3440/files/79285043015.pdf
- https://cdn.shopify.com/s/files/1/0430/9162/4096/files/16478280432.pdf
- https://cdn.shopify.com/s/files/1/0428/1863/3894/files/denizozufofinire.pdf
- https://cdn.shopify.com/s/files/1/0430/5757/8138/files/dekenotadowojolujinoxire.pdf
- https://cdn.shopify.com/s/files/1/0441/0372/9304/files/kewipefiruzunujaxef.pdf
- https://cdn.shopify.com/s/files/1/0431/7514/9719/files/daboxipapisutugiraxuzuna.pdf
- https://cdn.shopify.com/s/files/1/0431/5712/7336/files/discord_name_color_codes.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064dd.bin` `e1a32d247dcd0b2665d7f11a7c823e5b8f75ad2f432567bf16b6b5069eaa06fa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64DD	5324 bytes
`font_01_sfnt_off000076e3.bin` `56d908d060368ba17ab215f288a58873a10801b5b8f2ede752d3c81792be83e2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76E3	9572 bytes
`font_02_sfnt_off000097dd.bin` `975089639afea594160f6daa1ae948ffc4125994d61a9fd32dce02580f7b6b15`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x97DD	16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.