PDF malware analysis — malicious · aaa625d1b621f455

MALICIOUS

PDF

39.8 KB Created: 2020-08-03 02:40:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d9a5b258f0fd0a127b903c586e418626 SHA-1: dafd25a17d940cd47cc68c94ae6966e342c976a9 SHA-256: aaa625d1b621f4555b0a0d71edf200b0d51ad1b552a75f59a0c514d265d81683

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to ttraff.com, which is a known malicious infrastructure. It also contains a PDF link farm heuristic, indicating a large number of outbound links, many hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the text 'What is love. mp3 download' and the malicious redirector URL, suggesting a lure to download content. The 'SE_BROWSER_INSTALL_LURE' heuristic further supports the social engineering aspect, indicating the document likely prompts the user to install something to view content, which is a common tactic for malware delivery.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE

Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=what+is+love.+mp3+download
- http://files.alisalman.ca/uploads/1/3/1/6/131636651/1098389.pdf
- http://files.mars-hill-press.com/uploads/1/3/0/7/130740530/nexavasenozesaf-zupore.pdf
- http://files.jacobtrimble.com/uploads/1/3/1/3/131379828/e38b24f9bd1848.pdf
- https://cdn.shopify.com/s/files/1/0428/3020/0991/files/loxivope.pdf
- https://cdn.shopify.com/s/files/1/0430/2969/2577/files/43081616522.pdf
- https://cdn.shopify.com/s/files/1/0430/7278/2489/files/37378132580.pdf
- https://cdn.shopify.com/s/files/1/0434/9755/4084/files/ffxiv_how_to_buy_a_house.pdf
- https://cdn.shopify.com/s/files/1/0428/6591/8118/files/70431359068.pdf
- https://cdn.shopify.com/s/files/1/0435/4346/2037/files/how_to_write_acknowledgement_for_thesis_pdf.pdf
- https://cdn.shopify.com/s/files/1/0431/5496/4629/files/bujerugenewunesunoba.pdf
- https://cdn.shopify.com/s/files/1/0428/8688/9639/files/76766179793.pdf
- https://cdn.shopify.com/s/files/1/0429/2762/0249/files/lubaxebujisu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005e84.bin` `ebace45d8277d1b15006706e193f603aac0f4d7353206bbd119512ba20f8161e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5E84	5464 bytes
`font_01_sfnt_off00007112.bin` `98a304c43f0cbe1691809ad588cd61d71b1af82c95ee71ad40afdd02a1f8b4ea`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7112	9844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.