PDF malware analysis — malicious · ab206aeb99d46aea

MALICIOUS

PDF

45.1 KB Created: 2020-08-18 20:28:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 751c81b9888aaa2e7fcdf9515f42c500 SHA-1: 3cbd771ec077855b5af7c0c94a3ea68b50dfbe73 SHA-256: ab206aeb99d46aeac6329a7fa7139a762bb4ff9bb30672dfa630c4344746fe8a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=elements+of+news+reporting'. This URL is likely used to redirect the user to a malicious site for phishing or malware delivery. The document also contains a large number of external PDF links, many hosted on Shopify, suggesting a link farm or SEO poisoning tactic to increase visibility. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=elements+of+news+reporting
- http://milep.willowindstudios.com/uploads/1/3/1/4/131406344/rukulumoxevenonija.pdf
- http://files.cubrajackpot.com/uploads/1/3/2/6/132683135/sajavabut.pdf
- https://cdn.shopify.com/s/files/1/0431/3019/2039/files/mean_value_theorem_for_derivatives.pdf
- https://cdn.shopify.com/s/files/1/0430/6416/4506/files/zobava.pdf
- https://cdn.shopify.com/s/files/1/0429/9938/2170/files/mapa_cajon_del_maipo.pdf
- https://cdn.shopify.com/s/files/1/0432/3092/0871/files/age_of_war_empires_3_mod_apk.pdf
- https://cdn.shopify.com/s/files/1/0434/1871/4264/files/javascript_tutorial_complete.pdf
- https://cdn.shopify.com/s/files/1/0429/9417/2058/files/95175420129.pdf
- https://cdn.shopify.com/s/files/1/0428/5900/4070/files/3779381268.pdf
- https://cdn.shopify.com/s/files/1/0436/2534/9283/files/xexel.pdf
- https://cdn.shopify.com/s/files/1/0429/9456/5271/files/14560772126.pdf
- https://cdn.shopify.com/s/files/1/0432/2436/7266/files/72340659421.pdf
- https://cdn.shopify.com/s/files/1/0435/9503/8877/files/sateriparidotumafaze.pdf
- https://cdn.shopify.com/s/files/1/0433/6071/4904/files/41799709514.pdf
- https://cdn.shopify.com/s/files/1/0430/6921/0773/files/romurimusirixusibo.pdf
- https://cdn.shopify.com/s/files/1/0433/8289/8840/files/2989445266.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0434/1871/426

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000671d.bin` `a4861a2e26b3c463cb2db36ef19b948af1b2b4964f699a0b9380561295fa8e1d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x671D	4848 bytes
`font_01_sfnt_off00007797.bin` `8c9cabcbda8d15538e0e8f29b66f5e19e641561c3607993a07cf2e084a9f7e0d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7797	9748 bytes
`font_02_sfnt_off000098ec.bin` `ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x98EC	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.