PDF malware analysis — malicious · 9a21efa171087d41

MALICIOUS

PDF

45.0 KB Created: 2020-08-13 05:46:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4bc08fbfea014126e419864c468ff0b0 SHA-1: 23eda84dcd92c234052d5022aadf1eb1ed1a58c2 SHA-256: 9a21efa171087d410841f7b66278ee66e901cc164f801d592bd2b2f9b589a955

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to PDF files hosted on Shopify. One of these links, 'https://ttraff.com/wb?keyword=decimator%20g%20string%202%20manual', is identified as a known malicious redirector. This suggests the document is part of a link farm designed to lure users to malicious sites, likely for phishing or malware distribution.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wb?keyword=decimator%20g%20string%202%20manual
- http://files.laurelwoodtroy.com/uploads/1/3/0/9/130969357/xinajutef-zerexakudugagup-fuwavemep.pdf
- http://files.stellasbakery.store/uploads/1/3/1/4/131437515/xofugosig_xilevifilupate.pdf
- http://files.dcmspto.org/uploads/1/3/0/9/130970009/gileraduz.pdf
- https://cdn.shopify.com/s/files/1/0437/5799/4138/files/72014461632.pdf
- https://cdn.shopify.com/s/files/1/0438/9833/9496/files/19372566115.pdf
- https://cdn.shopify.com/s/files/1/0432/2584/1819/files/74450620463.pdf
- https://cdn.shopify.com/s/files/1/0438/6367/0939/files/81643682290.pdf
- https://cdn.shopify.com/s/files/1/0428/7964/7900/files/banking_awareness_for_sbi_po_2020.pdf
- https://cdn.shopify.com/s/files/1/0430/9218/1153/files/maxezivizawaf.pdf
- https://cdn.shopify.com/s/files/1/0434/0377/2056/files/69700051.pdf
- https://cdn.shopify.com/s/files/1/0438/5452/8677/files/gakubegubadameluxiboxuzig.pdf
- https://cdn.shopify.com/s/files/1/0433/5520/9879/files/86862236570.pdf
- https://cdn.shopify.com/s/files/1/0431/8131/0114/files/jejefezizakoboj.pdf
- https://cdn.shopify.com/s/files/1/0434/6983/2357/files/formulation_and_evaluation_of_aerosols.pdf
- https://cdn.shopify.com/s/files/1/0428/3236/3676/files/wulopurorenipawem.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/53059057271.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006229.bin` `dce1ff061c10f281deb81fac95f7fb4260795c75fcb8cc046cb0616efe12295a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6229	5132 bytes
`font_01_sfnt_off00007385.bin` `402cf79026a1efef425b4bc1a44e20ba59c95987209d43055782dc2edfa3b7d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7385	10520 bytes
`font_02_sfnt_off00009765.bin` `ad623bc7c681097dfa1224999cf6cc6072d3ca9a137655dc1129b0261f0b357c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9765	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.