PDF malware analysis — malicious · 9ecd495572c546f5

MALICIOUS

PDF

45.3 KB Created: 2020-08-04 15:08:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 60d4e7f5d6cac3e769ad6ad407c5b3ca SHA-1: 8adfda65e770f78e0551da4213c0044851d1695e SHA-256: 9ecd495572c546f5eed067bb0387a4c827e555ccb52c5e217e78ae1e80b13046

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a malicious redirector URL, masquerading as a 'Journeyman electrician book pdf'. The primary malicious URL is https://ttraff.com/wb?keyword=journeyman%20electrician%20book%20pdf, which likely leads to further malicious content. No scripts were extracted from this sample, and the document body was heavily obfuscated.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wb?keyword=journeyman%20electrician%20book%20pdf
- http://files.kengallucciocup.com/uploads/1/3/0/7/130775759/woxudukipefonez.pdf
- http://files.rocksolidmarriages.com/uploads/1/3/1/4/131437753/0e9042fc3693f7.pdf
- http://files.fionabelousz.com/uploads/1/3/1/3/131398117/gebapuxavumuxi-bozono-nozogovuzekupaj-dewafupujadamob.pdf
- http://files.lockdowndoorshades.com/uploads/1/3/1/8/131856232/guxuta.pdf
- https://cdn.shopify.com/s/files/1/0431/2917/6232/files/litikumegumowimalibofifu.pdf
- https://cdn.shopify.com/s/files/1/0430/2913/5514/files/ledij.pdf
- https://cdn.shopify.com/s/files/1/0439/6879/0686/files/49012138499.pdf
- https://cdn.shopify.com/s/files/1/0434/5564/3813/files/utah_post_portal.pdf
- https://cdn.shopify.com/s/files/1/0429/7365/9290/files/92646959845.pdf
- https://cdn.shopify.com/s/files/1/0431/2875/0234/files/47535534856.pdf
- https://cdn.shopify.com/s/files/1/0434/8300/5093/files/degudoxirane.pdf
- https://cdn.shopify.com/s/files/1/0434/0079/0170/files/kireruwafikevomifaxetodup.pdf
- https://cdn.shopify.com/s/files/1/0431/4896/8100/files/lidolodid.pdf
- https://cdn.shopify.com/s/files/1/0432/0935/9520/files/90195406505.pdf
- https://cdn.shopify.com/s/files/1/0432/4897/6032/files/fubenulotuworexudijulidil.pdf
- https://cdn.shopify.com/s/files/1/0435/4208/5783/files/61084818405.pdf
- https://cdn.shopify.com/s/files/1/0432/5592/2852/files/gufumifunefe.pdf
- https://cdn.shopify.com/s/files/1/0431/2147/5738/files/bulupege.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064ed.bin` `1d40de5fbf40412f2594d1237b25cab94a3ba2f30a8a748e7929eafd20a61550`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64ED	5300 bytes
`font_01_sfnt_off000076df.bin` `e5f7e7d7b3cf52fa7026471449346361bfe095a2f648e346fb36d8d26fbf0ac3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76DF	10472 bytes
`font_02_sfnt_off00009a38.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9A38	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.