PDF malware analysis — malicious · aeb1b52c200ee989

MALICIOUS

PDF

256.3 KB Created: 2020-08-07 19:06:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c767b38daa016575127f8fec01b4b380 SHA-1: cf3211a8d9e2d22ae0fa80dcf42d94298e7f78fc SHA-256: aeb1b52c200ee989c2a0f254aeb52c78a2262d485a1f0dc33a79f86b791f7d64

108 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains heuristics indicating it is a malicious redirector link and an advance-fee scam lure, with urgency language used to prompt user interaction. The primary malicious URL identified is https://ttraff.com/pify?keyword=chapter+24+apush+pdf. No scripts were extracted from this sample, limiting the ability to determine further payload delivery or execution methods.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=chapter+24+apush+pdf
- http://files.jennypiersol.com/uploads/1/3/2/6/132681698/xelikof.pdf
- http://files.electricaloutlet.info/uploads/1/3/0/9/130969300/napelugaxu.pdf
- http://files.pureromancebyniki.com/uploads/1/3/0/8/130874667/8977218.pdf
- http://files.htxphotography.com/uploads/1/3/0/7/130776589/nazixip.pdf
- https://cdn.shopify.com/s/files/1/0429/3846/6467/files/89343002707.pdf
- https://cdn.shopify.com/s/files/1/0435/2373/5720/files/89862442765.pdf
- https://cdn.shopify.com/s/files/1/0430/4545/3985/files/35491139321.pdf
- https://cdn.shopify.com/s/files/1/0433/6402/4479/files/falagisevezapoji.pdf
- https://cdn.shopify.com/s/files/1/0430/4227/5479/files/levorumitoz.pdf
- https://cdn.shopify.com/s/files/1/0431/6043/6896/files/85022084704.pdf
- https://cdn.shopify.com/s/files/1/0432/0113/4747/files/midotomomegidipa.pdf
- https://cdn.shopify.com/s/files/1/0434/7202/7814/files/pifukepaloramoxokapu.pdf
- https://cdn.shopify.com/s/files/1/0431/4575/6833/files/sajulaxatezopeborexaguzib.pdf
- https://cdn.shopify.com/s/files/1/0429/9204/2137/files/70550218034.pdf
- https://cdn.shopify.com/s/files/1/0430/6635/9962/files/85337294102.pdf
- https://cdn.shopify.com/s/files/1/0433/9436/7644/files/caliathletics_download.pdf
- https://cdn.shopify.com/s/files/1/0429/0124/2015/files/62227359279.pdf
- https://cdn.shopify.com/s/files/1/0431/8239/1451/files/roribomepigufataxawo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0003bc0d.bin` `db1792f1a8690ad69d67424c289527c3d89aced2b66ce65b3f9f0caea57f0957`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3BC0D	5224 bytes
`font_01_sfnt_off0003cdd0.bin` `cdd7cac74691220081123afa3a8e917663c073e8c3b2c55f1be1e014f0015821`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3CDD0	10940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.