PDF malware analysis — malicious · a5bef325b109b494

MALICIOUS

PDF

41.1 KB Created: 2020-09-18 22:21:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 536a55e2b749c57a9a92748eb03d1b0c SHA-1: e97b9320bd804fedf3363f00f2cb2e64c1f7e0e9 SHA-256: a5bef325b109b494444efffcba9bc93d0d942b80934e1859e2502fa8e1fd79f3

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass of external links, many pointing to Shopify domains, but one critical link directs to 'ttraff.club', a known malicious redirector. This redirector is likely intended to lure the user into clicking a link related to 'color syntax discord', potentially leading to a phishing or malware download site. The PDF structure and the presence of numerous links suggest a link farm or SEO poisoning tactic to distribute malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=color+syntax+discord
- http://wavivaza.martinisdigz.com/uploads/1/3/1/4/131408022/3796390.pdf
- http://files.citizensmedicare.org/uploads/1/3/1/4/131406365/bujidepege.pdf
- http://pawixal.fcoca.org.uk/uploads/1/3/2/6/132695615/34ea6e.pdf
- http://files.edgeprogram.info/uploads/1/3/1/3/131398059/fegaji-muvaduni.pdf
- http://files.sistersinlaws.com/uploads/1/3/0/8/130874058/nepokaxinezavepuzej.pdf
- https://cdn.shopify.com/s/files/1/0437/9734/8514/files/75869797308.pdf
- https://cdn.shopify.com/s/files/1/0434/9201/6280/files/32259266928.pdf
- https://cdn.shopify.com/s/files/1/0437/9967/5041/files/70678528703.pdf
- https://cdn.shopify.com/s/files/1/0429/5491/5993/files/26582731365.pdf
- https://cdn.shopify.com/s/files/1/0435/5879/7471/files/persona_5_books_for_guts.pdf
- https://7a7a20ed-22a7-45a4-a7bd-fc1381f8b313.filesusr.com/ugd/b90ba1_c0798f609c324eceb861551224f2de87.pdf?index=true
- https://ef978207-2d8b-41bd-a2d4-0d63871f1614.filesusr.com/ugd/bdc04d_a172115147234f32a081c334b48b489b.pdf?index=true
- https://7995ec9b-a226-4fef-a2cf-322a27bcd744.filesusr.com/ugd/d90490_c7266d7e0b8841cc8cf8d67ec89dbdca.pdf?index=true
- https://a0d41b53-50f1-4263-b376-8672ebd81a68.filesusr.com/ugd/d61b30_ab17be474a214cc5a54171fa504adeca.pdf?index=true
- https://52260359-f1cd-4800-b07e-bb79cf650145.filesusr.com/ugd/c4dbd3_2d1e8d53828042d39c6b4e9e5405b6e4.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://ef978207-2d8b-41bd-a2d4-0d63871f1614.filesusr.com/ugd/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000063f7.bin` `4de296c714142971dbc6415eb357d34396c2381e84783b1b9f129387481176e9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x63F7	5008 bytes
`font_01_sfnt_off00007514.bin` `e18271a0c6d136a9626e1528bf621e4bac30bc8f3437918c10b5fcc9c0eba9df`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7514	10072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.