PDF malware analysis — malicious · 9756e40c0f14edfa

MALICIOUS

PDF

48.5 KB Created: 2020-08-15 01:36:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 2bdc0cf47b52af2083fe42812758f895 SHA-1: 560c079cb873209b37e40849f1259bdd6fcda9b6 SHA-256: 9756e40c0f14edfa60fb7f73c673c5a1b77a4d21fdd142c22483995d8ac52eb2

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links hosted on 'cdn.shopify.com'. The document body, though heavily obfuscated, contains the malicious URL. The presence of a 'Download Button' heuristic further supports a lure-based attack pattern.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=vidmate+hd+video+er+3+45+apk
- http://bukube.mindls.com/uploads/1/3/1/4/131455734/6484912.pdf
- http://files.saintstephencca.com/uploads/1/3/1/6/131606733/vafexebesi_jixamuvax_lavuzivumugi.pdf
- http://kifamix.hiflos.com/uploads/1/3/1/4/131406390/wakozasera.pdf
- http://files.piratereaders.org/uploads/1/3/1/3/131398386/aea434663602.pdf
- https://cdn.shopify.com/s/files/1/0438/3830/8512/files/asset_management_information_system.pdf
- https://cdn.shopify.com/s/files/1/0431/8376/7713/files/new_super_mario_bros_wii_iso.pdf
- https://cdn.shopify.com/s/files/1/0428/8171/2287/files/bimenetonadadaz.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zijuk.pdf
- https://cdn.shopify.com/s/files/1/0428/9203/4211/files/somuli.pdf
- https://cdn.shopify.com/s/files/1/0431/3376/3746/files/zeganerelanimekudi.pdf
- https://cdn.shopify.com/s/files/1/0429/1044/9830/files/36760761333.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/loxutiwijadewafulon.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006625.bin` `013fc9f45313cdddd5762e6694753e55f6a85ad2eec225b6e17fd140af1ee5c7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6625	2952 bytes
`font_01_sfnt_off000070b4.bin` `f3e816008e18548af0142c140edbf29c00dc055068390cc4c8fec9df04c5323e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x70B4	5136 bytes
`font_02_sfnt_off00008238.bin` `6c7aa9365c7ad039aa3f36f8946cd02f9fc52c8a64fd39bc73f3db1383dc37e2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8238	10876 bytes
`font_03_sfnt_off0000a6a8.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA6A8	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.