PDF malware analysis — malicious · ac60b8e3a205fb3a

MALICIOUS

PDF

51.6 KB Created: 2020-08-21 14:22:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 658c7b2de13370857f1c759e14ea8406 SHA-1: 75535f0ad6775f01c76d70fca5acd217f221f20c SHA-256: ac60b8e3a205fb3ac7fd9b7dd37632d963d0f808dbefffca160959982dc2d92f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/pify?keyword=commandos+2+android+game', is designed to redirect users to malicious content. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external resources, many hosted on Shopify. The primary intent appears to be user redirection to a malicious site, likely for further exploitation or phishing.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=commandos+2+android+game
- http://files.diamonddashmealprep.com/uploads/1/3/0/7/130775784/a709d74b95606.pdf
- http://nolewafux.matersports.com/uploads/1/3/2/6/132696030/4307779.pdf
- https://cdn.shopify.com/s/files/1/0431/7328/1948/files/44271397893.pdf
- https://cdn.shopify.com/s/files/1/0438/4089/7181/files/arthur_miller_collected_plays.pdf
- https://cdn.shopify.com/s/files/1/0435/0961/2712/files/ubuntu_shut_down_command.pdf
- https://cdn.shopify.com/s/files/1/0438/4918/7493/files/voxapojubor.pdf
- https://cdn.shopify.com/s/files/1/0429/3538/6265/files/favezemogulapuvibapilalon.pdf
- https://cdn.shopify.com/s/files/1/0435/5345/6289/files/pegewe.pdf
- https://cdn.shopify.com/s/files/1/0433/4052/9816/files/kuzopizufurorogub.pdf
- https://cdn.shopify.com/s/files/1/0429/3810/6023/files/27132033624.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/41841620016.pdf
- https://cdn.shopify.com/s/files/1/0433/8742/0835/files/3286456462.pdf
- https://cdn.shopify.com/s/files/1/0429/0212/6755/files/51057076324.pdf
- https://cdn.shopify.com/s/files/1/0432/9714/4990/files/gilurivuzitemumivosuk.pdf
- https://cdn.shopify.com/s/files/1/0431/2884/8538/files/83744727161.pdf
- https://cdn.shopify.com/s/files/1/0437/2230/9781/files/31573344016.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007d4d.bin` `cdda641ce0b3602c4b2bc611494982b0cce22cfa64c12d261821131b387516e0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D4D	4976 bytes
`font_01_sfnt_off00008e0e.bin` `54afe8c12584f95f984846621cd33aa22922e86569a560582d932fd388243290`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8E0E	10924 bytes
`font_02_sfnt_off0000b366.bin` `a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB366	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.