PDF malware analysis — malicious · a9716e27aa4db0fb

MALICIOUS

PDF

43.3 KB Created: 2020-08-22 07:09:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 689ce7e80b63b91bb1daa2cd903a644f SHA-1: 37758d75bea7328cb81021979761456e08d821da SHA-256: a9716e27aa4db0fb4b7c4a8f8680a1b84602ddefe27c50748755b9a3a7230dbb

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, it exhibits characteristics of a PDF SEO link farm, embedding numerous external links, with the primary redirector URL being https://ttraff.com/pify?keyword=linear+guide+rails+and+blocks. The document body text is largely unreadable binary data, but the presence of the malicious URL and the link farm structure strongly suggest a phishing or malware distribution attempt.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=linear+guide+rails+and+blocks
- http://files.rethanksaz.com/uploads/1/3/1/8/131856646/xidebuxani.pdf
- http://xujisiki.erikgjesfjeld.net/uploads/1/3/1/1/131164312/tonatuvenir-bavuloxo.pdf
- http://wuvan.womenschangecoach.com/uploads/1/3/1/4/131453624/5613303.pdf
- http://files.whitelodgeownersinc.com/uploads/1/3/1/4/131437775/6482334.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vibamiwa.pdf
- https://cdn.shopify.com/s/files/1/0433/5337/4874/files/43836686009.pdf
- https://cdn.shopify.com/s/files/1/0429/6795/7658/files/90907497964.pdf
- https://cdn.shopify.com/s/files/1/0431/6200/9755/files/vidibaligofilenaxur.pdf
- https://cdn.shopify.com/s/files/1/0434/6216/4644/files/63605493759.pdf
- https://cdn.shopify.com/s/files/1/0431/7881/9735/files/xafifupurisijovewodamo.pdf
- https://cdn.shopify.com/s/files/1/0438/3254/1344/files/nanif.pdf
- https://cdn.shopify.com/s/files/1/0435/1423/3000/files/nugutub.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/39086675177.pdf
- https://cdn.shopify.com/s/files/1/0431/2170/5124/files/beery_vmi_assessment.pdf
- https://cdn.shopify.com/s/files/1/0431/2127/9137/files/daxusiduwer.pdf
- https://cdn.shopify.com/s/files/1/0435/5004/8420/files/xemafitovelonen.pdf
- https://cdn.shopify.com/s/files/1/0447/5479/6698/files/paneri.pdf
- https://cdn.shopify.com/s/files/1/0436/8692/0347/files/31984002503.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006a79.bin` `1d3ddaa41b0e99d4412de76944d958d4005bfd7d2e253089127879efa06d25f0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A79	5252 bytes
`font_01_sfnt_off00007c58.bin` `d3708042c5b53b62adce2e999394e3af8803e3629068fc065e071fb046e8532c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C58	10480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.