PDF malware analysis — malicious · 99fd321c638f67a8

MALICIOUS

PDF

56.5 KB Created: 2020-09-18 23:48:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 44416461133b538972d96ef3757c7206 SHA-1: 72408677b5e80e062b7f6921ca4b6c5322fb3319 SHA-256: 99fd321c638f67a8715c916ea38cbbe81c601ebc99ad12822adc2fd94476cf6f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, https://ttraff.club/wix?keyword=scandia+festival+sf+bay+area+2020, which is likely intended to lead the user to a malicious site. The document also contains a large number of embedded links to other PDFs, suggesting a link farm or SEO poisoning tactic to increase visibility. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=scandia+festival+sf+bay+area+2020
- https://cdn.shopify.com/s/files/1/0431/2363/8426/files/pejoman.pdf
- https://cdn.shopify.com/s/files/1/0432/1977/9742/files/pokav.pdf
- https://cdn.shopify.com/s/files/1/0431/8131/0114/files/zutiwamikatulamidux.pdf
- https://cdn.shopify.com/s/files/1/0434/0255/9655/files/noxonedalidabexasaze.pdf
- https://38cbdb30-2c35-4851-a06e-84ac40637658.filesusr.com/ugd/02ccf7_5b7b33a4d47544a29a9e1e9a76eb1b43.pdf?index=true
- https://60df4548-ef98-434a-bf35-13abe95e09c4.filesusr.com/ugd/370021_336fb76e994147d9b935ee8dff434d52.pdf?index=true
- https://b1d56020-b912-494b-9912-dadc5c3bc688.filesusr.com/ugd/7603ae_b04f8f9b12dc44c9af5109627c808dad.pdf?index=true
- https://82a4d201-f180-459f-97c6-69c35b0595b7.filesusr.com/ugd/01bc73_ef760af7cb50476ca4962b1568d31d1c.pdf?index=true
- https://9eae22bc-d51b-4061-896f-603aa1564042.filesusr.com/ugd/3801ff_6bf5c7841d734a62a4de479472a155f0.pdf?index=true
- https://9bf281c0-ed09-4581-b0bf-9b7001f9c0a4.filesusr.com/ugd/f515ca_72ce57e2eb6d4dcd8fe57c33ad48c343.pdf?index=true
- https://cdn.shopify.com/s/files/1/0428/7424/1183/files/alopurinol_300_mg_bula.pdf
- https://cdn.shopify.com/s/files/1/0432/0047/9391/files/xematikiripafamaval.pdf
- https://cdn.shopify.com/s/files/1/0432/5205/6227/files/lafargeholcim_financial_report_2018.pdf
- https://cdn.shopify.com/s/files/1/0431/3976/0285/files/soruvo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000738a.bin` `fbaaf604dd1ab3488055e6847f020b0cc20372d99c6b94ca4b65b71b88e971fb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x738A	5696 bytes
`font_01_sfnt_off00008705.bin` `02a00636414a298db92bdce26343d55f357c1560899b425969c265ef6041992e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8705	18192 bytes
`font_02_sfnt_off0000bda8.bin` `a95eff378c135b1ab40d10b3cd1da1bafbc07f86005f57898d079c90d712ddbd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBDA8	16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.