PDF malware analysis — malicious · ad2b41ec425b256a

MALICIOUS

PDF

45.5 KB Created: 2020-08-21 19:42:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 86819b732fa8fc2b5f9042daa962a829 SHA-1: b3300958363a5e57ba5ac5e8388823e524f50e28 SHA-256: ad2b41ec425b256aea773130c73068e811a6bb562bc0becf2e19d1cc8d6d48ac

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1200 Hardware Add-in Systems

The PDF file contains a significant number of embedded external links, with a critical heuristic firing indicating a malicious redirector. The primary malicious URL identified is 'https://ttraff.cc/pify?keyword=osaka+japan+tour+guide', which is likely used to redirect users to a malicious site. The document body itself is largely unreadable binary data, but the presence of numerous links, including those pointing to potentially malicious infrastructure, strongly suggests a social engineering attack aimed at luring users to compromised or malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=osaka+japan+tour+guide
- http://files.standishbiblechurch.org/uploads/1/3/1/1/131164130/ligas-losixunak-budubovevisubok.pdf
- http://rarijotu.buchspielerrecords.com/uploads/1/3/1/4/131482962/wuzugolutapu_tubimav_vofexiza_wugeli.pdf
- http://files.prideofbaker.com/uploads/1/3/2/8/132816042/rawipamu-dolatarobe.pdf
- http://files.rainbowrevelry.com/uploads/1/3/1/1/131163867/libew-gusalezuku.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/64238793182.pdf
- https://cdn.shopify.com/s/files/1/0428/8941/2767/files/92242245322.pdf
- https://cdn.shopify.com/s/files/1/0435/4929/4756/files/convert_cdf_to_python.pdf
- https://cdn.shopify.com/s/files/1/0431/9212/3560/files/piriletinexatadorekuguf.pdf
- https://cdn.shopify.com/s/files/1/0432/8525/0216/files/report_card_comments_for_behavior_problems.pdf
- https://cdn.shopify.com/s/files/1/0429/4885/3926/files/wowebol.pdf
- https://cdn.shopify.com/s/files/1/0430/2798/8634/files/fefaxatego.pdf
- https://cdn.shopify.com/s/files/1/0438/5921/4501/files/airplane_flying_handbook_2017.pdf
- https://cdn.shopify.com/s/files/1/0430/1645/4305/files/xazilosobogugiviwoloz.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005e28.bin` `87564cda6a235a66d921990031029e9a0d6513be92c3bf59395b385a45d471e9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5E28	5264 bytes
`font_01_sfnt_off0000701e.bin` `d840b59129987a3a4524acbe7df0583f8b788f48386983a4ee711892aefba600`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x701E	10704 bytes
`font_02_sfnt_off000094b2.bin` `9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x94B2	16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.