PDF malware analysis — malicious · abe59cd671bef8db

MALICIOUS

PDF

54.0 KB Created: 2020-08-07 17:46:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 82417b23a1389906c49f900f2046ab64 SHA-1: fdcc3da5923f2d196dc226bd74c8a3801dee7836 SHA-256: abe59cd671bef8dbc745ab0b66b675592819a025299466c8e12105e303668476

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL, suggesting it's the primary lure. The PDF also exhibits characteristics of a link farm, with numerous external links, further supporting the malicious redirection intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=cracking+the+money+code+pdf+download
- http://files.railoun.com/uploads/1/3/1/4/131408788/3826104.pdf
- http://kojux.f-c-f.net/uploads/1/3/0/7/130738993/rugazapes.pdf
- http://files.enzoarticulator.com/uploads/1/3/1/8/131871424/kalavibal-winotirirewukir-lorarawumoraxom-sexinuka.pdf
- http://joduv.mikevaninophotography.com/uploads/1/3/1/4/131453133/dupudabalamas.pdf
- https://cdn.shopify.com/s/files/1/0432/5372/7394/files/63683148493.pdf
- https://cdn.shopify.com/s/files/1/0431/5286/7494/files/tatutakurajo.pdf
- https://cdn.shopify.com/s/files/1/0431/5942/1092/files/65684538561.pdf
- https://cdn.shopify.com/s/files/1/0436/0631/1070/files/nutovimenilekogowaf.pdf
- https://cdn.shopify.com/s/files/1/0430/9850/5369/files/38636911171.pdf
- https://cdn.shopify.com/s/files/1/0429/3486/1991/files/89335399998.pdf
- https://cdn.shopify.com/s/files/1/0434/7677/9174/files/jaxajupibajajejopexadujod.pdf
- https://cdn.shopify.com/s/files/1/0431/2891/4087/files/venikajodivepo.pdf
- https://cdn.shopify.com/s/files/1/0432/1204/6491/files/8844435398.pdf
- https://cdn.shopify.com/s/files/1/0432/0867/1394/files/75601127002.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/danedogorolulefumatexa.pdf
- https://cdn.shopify.com/s/files/1/0431/5774/9917/files/xufepenegubosejilaxosixeg.pdf
- https://cdn.shopify.com/s/files/1/0428/4219/4083/files/perarovus.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008684.bin` `30a1e4aaf608d0fe221a7610b0c83de39be077086225317a2eb384c7af0941a7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8684	5460 bytes
`font_01_sfnt_off00009901.bin` `ba2f240bb8b1c96935795dcfd2fdf0c593a47b8f6edd86261285168e8555066d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9901	10420 bytes
`font_02_sfnt_off0000bca4.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBCA4	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.