PDF malware analysis — malicious · a9cb9726ed1d98ed

MALICIOUS

PDF

49.1 KB Created: 2020-07-31 11:47:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 78ec98977fa8e974bffd7b3b193a6563 SHA-1: fe8a6a494d24d0d13ba7e92073d258e717b0ebac SHA-256: a9cb9726ed1d98ed81f72017af9a58d3086de0c1975300ac9ed8c03db6383426

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external resources. One critical heuristic firing indicates that the PDF links to known malicious redirector infrastructure, specifically 'https://ttraff.cc/pify?keyword=drawing+tutorials+for+beginners+pdf'. The document body, though heavily obfuscated, suggests a lure related to drawing tutorials, likely to trick users into clicking the malicious links. The presence of numerous links, including a link farm, indicates a strong intent to redirect users to potentially harmful content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=drawing+tutorials+for+beginners+pdf
- http://files.robinfouts.com/uploads/1/3/0/7/130739864/raxedejav-fegaraniwaj.pdf
- http://files.istudentsduke.org/uploads/1/3/1/0/131070379/5a5bb0284ee.pdf
- http://files.stagemusicstudios.com/uploads/1/3/1/3/131383478/tadew-xumitaxirokem.pdf
- http://files.prometheanrebellion.com/uploads/1/3/1/0/131071041/8734582.pdf
- http://files.joanhbrackcharitablefoundation.org/uploads/1/3/1/1/131163540/4190471.pdf
- http://files.stagemusicstudios.com/uploads/
- https://cdn.shopify.com/s/files/1/0433/4537/9478/files/88605257332.pdf
- https://cdn.shopify.com/s/files/1/0431/4162/8072/files/41036130538.pdf
- https://cdn.shopify.com/s/files/1/0429/1208/8231/files/momozewikobof.pdf
- https://cdn.shopify.com/s/files/1/0437/9344/9122/files/xuvesinawukumax.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/84712881745.pdf
- https://cdn.shopify.com/s/files/1/0428/2069/8268/files/43567991357.pdf
- https://cdn.shopify.com/s/files/1/0433/4367/5560/files/15619729712.pdf
- https://cdn.shopify.com/s/files/1/0428/1496/3868/files/18664494656.pdf
- https://cdn.shopify.com/s/files/1/0429/0982/7231/files/wogujizazagov.pdf
- https://cdn.shopify.com/s/files/1/0427/8393/2582/files/62905575459.pdf
- https://cdn.shopify.com/s/files/1/0430/4253/7629/files/10504593204.pdf
- https://cdn.shopify.com/s/files/1/0428/8921/6167/files/61128051115.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000081c2.bin` `ed4ed9a2d112843cf0797935ce735a66af8e4fba02f705ab4b420444ca77678b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x81C2	5320 bytes
`font_01_sfnt_off000093ee.bin` `58af73da8f9f6373eec8b06d9b27c9edf66d54e271838033c29580de5f0d2da6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x93EE	10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.