PDF malware analysis — malicious · 9d28ceb6c3c40626

MALICIOUS

PDF

39.4 KB Created: 2020-08-25 23:12:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: f87d9f70c6883c7bb469adfb8274f80e SHA-1: 445a5f3c7c764a663dfdb538286374516fb8ca4b SHA-256: 9d28ceb6c3c406266bb6b882d5c56dfdd0bde592f93d786ecd95960a6caff3e8

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with one specifically pointing to a known malicious redirector at 'ttraff.com'. This redirector is likely used to obscure the final destination and potentially deliver a malicious payload or conduct a phishing attack. The presence of a 'download button' heuristic further supports the idea that the document is designed to trick the user into clicking a link. The document body, though heavily obfuscated, contains the malicious URL, reinforcing the attack vector.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=emergency+contact+mary+choi+epub
- http://wopebedab.theflorecerproject.com/uploads/1/3/1/3/131379478/masedejasurekawuwe.pdf
- https://cdn.shopify.com/s/files/1/0434/8346/3832/files/51039073356.pdf
- https://cdn.shopify.com/s/files/1/0434/6393/4109/files/7977054886.pdf
- https://cdn.shopify.com/s/files/1/0435/6354/8833/files/bibosikuxitogomufutatox.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/30347825404.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kekesapenogetiru.pdf
- https://cdn.shopify.com/s/files/1/0433/1657/6424/files/6124949142.pdf
- https://cdn.shopify.com/s/files/1/0430/1442/2677/files/84709952109.pdf
- https://cdn.shopify.com/s/files/1/0433/5815/9006/files/53433700803.pdf
- https://cdn.shopify.com/s/files/1/0428/6572/1503/files/80266279255.pdf
- https://cdn.shopify.com/s/files/1/0430/9699/8048/files/miditifisozemu.pdf
- https://cdn.shopify.com/s/files/1/0433/6631/8230/files/nonivinetujikomof.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005009.bin` `3a11fe68da88a1600feb3c4e4fa452b994728c140d9c6f8b9e5e819355775c78`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5009	5220 bytes
`font_01_sfnt_off00006193.bin` `dcd330722c614e268fb21ce16a120617e7e4294a8b4ca98f76c3183bf0e0f905`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6193	9700 bytes
`font_02_sfnt_off000082cd.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x82CD	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.