PDF malware analysis — malicious · a3eda70cbea95e72

MALICIOUS

PDF

54.6 KB Created: 2020-08-18 21:00:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: fe4c0662e4ddfe1b2c6dc591fc8c66f4 SHA-1: d7288d9a6bea7d722823bbc9ba5e74c0fecf0124 SHA-256: a3eda70cbea95e7274fcd56c55b7a91e4c53f22da2196ce57a06b5ee023dc982

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a specific redirector link, indicating a phishing or redirection attempt. The primary malicious link identified is https://ttraff.com/pify?keyword=dsssb+answer+key+86%252F+17, which is flagged as a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'Dsssb answer key', suggesting a lure to trick users into clicking the malicious link. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=dsssb+answer+key+86%252F+17
- http://files.wonderpin.com/uploads/1/3/1/3/131379923/a4d87b.pdf
- http://files.smokeheadguitars.co.uk/uploads/1/3/1/8/131871593/8108800.pdf
- http://files.sdreece.com/uploads/1/3/1/4/131438541/lusorekamomuxejafu.pdf
- https://cdn.shopify.com/s/files/1/0430/0167/5939/files/98940455185.pdf
- https://cdn.shopify.com/s/files/1/0434/0688/5031/files/sewebi.pdf
- https://cdn.shopify.com/s/files/1/0434/1956/6231/files/jodiwikevozijigogijole.pdf
- https://cdn.shopify.com/s/files/1/0435/2599/6698/files/89198808679.pdf
- https://cdn.shopify.com/s/files/1/0428/4016/2467/files/tafomolexutatepobora.pdf
- https://cdn.shopify.com/s/files/1/0443/8360/0806/files/13938610215.pdf
- https://cdn.shopify.com/s/files/1/0438/8611/7032/files/vasika.pdf
- https://cdn.shopify.com/s/files/1/0435/6702/2239/files/65633693229.pdf
- https://cdn.shopify.com/s/files/1/0431/1272/6677/files/10171607092.pdf
- https://cdn.shopify.com/s/files/1/0432/2007/4663/files/laxapoz.pdf
- https://cdn.shopify.com/s/files/1/0435/4356/0351/files/87892351999.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000063af.bin` `0127105929e6b4d08d71e970fb2e4ae7b0ee08fff78b6f841ab3362f287d6dc3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x63AF	5560 bytes
`font_01_sfnt_off000076da.bin` `d0c9e33916e9e64e42e31bcf0d345f6c2fcd41735b1a34df0119bd0eb1094281`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76DA	3720 bytes
`font_02_sfnt_off0000823e.bin` `efbd10d41f1d8af821c76f51c9830986b35d93b1a235f742ef61222f8c32d599`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x823E	15136 bytes
`font_03_sfnt_off0000b166.bin` `15996df1388d6d7ea2b82f032c35e2e6bd03e26d47a400600d51ab80e641a065`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB166	7748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.