PDF malware analysis — malicious · a54671249285a912

MALICIOUS

PDF

52.7 KB Created: 2020-08-11 04:57:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 80ab03182c962c8a2c200beb18bbc03d SHA-1: 39f5dec1abef5308add7071bb02ce4f936021b7f SHA-256: a54671249285a9128eb935452dc40006c1709e0a9a514ecc4a14af9826eaccc6

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. Additionally, PDF_SEO_LINK_FARM indicates a large number of external PDF links, likely for SEO manipulation or to host further malicious content. The embedded URL https://ttraff.cc/pify?keyword=libro+de+verduras+y+hortalizas+pdf is the primary indicator of malicious redirection. The document body, though heavily obfuscated, contains references to the redirector URL and appears to be a lure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=libro+de+verduras+y+hortalizas+pdf
- http://files.thestudioofperformingarts.com/uploads/1/3/1/4/131437885/vikamusupokas-widiko-zimifig.pdf
- http://magedes.artspark.com/uploads/1/3/0/7/130775403/3df5cea2e.pdf
- http://files.higher-learners.com/uploads/1/3/1/4/131453998/5968528.pdf
- https://cdn.shopify.com/s/files/1/0428/1879/7724/files/lesotho_work_permit_application_form.pdf
- https://cdn.shopify.com/s/files/1/0434/6966/8517/files/algorithme_chaine_de_caractere.pdf
- https://cdn.shopify.com/s/files/1/0428/9721/1551/files/halcones_de_venta_gratis.pdf
- https://cdn.shopify.com/s/files/1/0430/8421/8521/files/74901753793.pdf
- https://cdn.shopify.com/s/files/1/0433/9610/4348/files/puturekapifozofiri.pdf
- https://cdn.shopify.com/s/files/1/0429/1877/2903/files/wofadedubopa.pdf
- https://cdn.shopify.com/s/files/1/0427/9900/5863/files/begug.pdf
- https://cdn.shopify.com/s/files/1/0440/0034/6270/files/nanismo_gigantismo_e_acromegalia.pdf
- https://cdn.shopify.com/s/files/1/0429/8149/0847/files/ribose.pdf
- https://cdn.shopify.com/s/files/1/0436/9340/8409/files/wuromobaduf.pdf
- https://cdn.shopify.com/s/files/1/0428/1086/7871/files/88543817874.pdf
- https://cdn.shopify.com/s/files/1/0428/6359/1583/files/59282155410.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007518.bin` `b01799bee8772c36b64d440706913fc2778e5f92f142669a2395438f3d2e3c51`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7518	5424 bytes
`font_01_sfnt_off00008792.bin` `63af4d8c5272c868634e1b02ae3ec2ddf89e0f042fd4d68dc64fb6527cf95af8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8792	11540 bytes
`font_02_sfnt_off0000ad43.bin` `1996df2c4ae53b72149595c78431ad2c576a2ecd5f6b08b3a14fc3a1b9593d23`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAD43	16620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.