PDF malware analysis — malicious · a25e0f2afc619f80

MALICIOUS

PDF

67.9 KB Created: 2020-08-05 09:48:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5e5d67de0d560bf00e153e37c800a425 SHA-1: 731bcbb437c31762b2531f8401ecb9d83d17c1c8 SHA-256: a25e0f2afc619f80aa9d6220456f729f176c6b9d8286b0ddd690cf85b1d481b2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains a link farm and a direct link to a redirector URL, indicating a phishing or scam attempt. The primary malicious link is https://ttraff.cc/pify?keyword=aircraft+structures+for+engineering+students+5th+edition+pdf, which is designed to lure users to a malicious destination. The document body, though heavily corrupted, contains text related to engineering textbooks, likely a pretext for the malicious link.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=aircraft+structures+for+engineering+students+5th+edition+pdf
- http://files.cochranechildcare.net/uploads/1/3/2/8/132814168/6937318e9d.pdf
- http://files.mod-el.org/uploads/1/3/1/3/131380305/5515673.pdf
- http://files.arnprioranimalhospital.ca/uploads/1/3/0/7/130740517/a30d1b44.pdf
- https://cdn.shopify.com/s/files/1/0434/6665/3858/files/c_subset_of_vector.pdf
- https://cdn.shopify.com/s/files/1/0428/2191/0687/files/77788454817.pdf
- https://cdn.shopify.com/s/files/1/0428/2328/6940/files/rizalowagajufile.pdf
- https://cdn.shopify.com/s/files/1/0429/6015/8873/files/17174774061.pdf
- https://cdn.shopify.com/s/files/1/0431/4903/3627/files/35694248200.pdf
- https://cdn.shopify.com/s/files/1/0433/5756/9176/files/61721273875.pdf
- https://cdn.shopify.com/s/files/1/0429/7244/6873/files/8792507860.pdf
- https://cdn.shopify.com/s/files/1/0433/2060/6885/files/roguvuwuwezefojejas.pdf
- https://cdn.shopify.com/s/files/1/0434/6734/1974/files/formulaire_cerfa_13754_x_02.pdf
- https://cdn.shopify.com/s/files/1/0429/1434/9219/files/nivuxigo.pdf
- https://cdn.shopify.com/s/files/1/0431/5322/7936/files/11833006483.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000984c.bin` `f57a6107c81ca813482504acf93e58ef67ce6f26926eed40edf889d234d4b0c4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x984C	5500 bytes
`font_01_sfnt_off0000aafa.bin` `b33e43ec78646c2cbed06d8833d443ba43101c17c58155e9872a2af18e5a25db`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAAFA	2472 bytes
`font_02_sfnt_off0000b539.bin` `fe93c9c5e9a24f6bc52e1d01313a77a9dbbc65f4aa436b3426a3b43e88737b48`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB539	17504 bytes
`font_03_sfnt_off0000ecf4.bin` `99dc80f4e35ecbd485aec20692fae4feb9ee2895e9102f631d55a3222af1d7fe`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xECF4	16080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.