PDF malware analysis — malicious · af032505c0ef8f34

MALICIOUS

PDF

43.6 KB Created: 2020-09-17 19:03:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 55676659ddf4b4e3efc01a18d47eb9c0 SHA-1: 5d6b14cb98bb8c1be1457e4179442c3c91695e51 SHA-256: af032505c0ef8f3461c4c8b2c25ca864c60bb95a52221369e424d4f153e12716

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.link/pify?keyword=the+maze+runner+study+guide'. The document body also contains this URL, suggesting the primary intent is to redirect users to malicious content under the guise of a study guide. The file also exhibits characteristics of a link farm, with numerous embedded URLs, one of which is a known benign file but others are likely part of the same malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/pify?keyword=the+maze+runner+study+guide
- http://sovujel.shreemarblesmumbai.com/uploads/1/3/1/4/131406436/3410678.pdf
- http://dogine.friendsofpns.org/uploads/1/3/1/6/131606027/d1d2c7dd1e80e.pdf
- http://fakukudek.rhinedesign.org/uploads/1/3/0/8/130873851/befepu-fenev.pdf
- http://files.moorehousecreations.com/uploads/1/3/0/7/130775952/1bbf045998.pdf
- https://7476bf1d-3e6f-4972-8b64-f0235ce338eb.filesusr.com/ugd/e4d7df_e2caf9ff13c24f63a159ef3ea6507feb.pdf?index=true
- https://8bd31aab-1cd9-4584-acd0-22a7f6ec12b0.filesusr.com/ugd/0582e0_e4072093891646118d332af5e068c147.pdf?index=true
- https://6c5116f5-7640-4eba-b2d4-f5bdc9bd4f07.filesusr.com/ugd/10cedf_ccf8937d5ef847e49145c71550fa7bfc.pdf?index=true
- https://cdn.shopify.com/s/files/1/0438/2497/1936/files/40040403714.pdf
- https://cdn.shopify.com/s/files/1/0433/5537/3720/files/kuwib.pdf
- https://cdn.shopify.com/s/files/1/0435/9805/3539/files/arcswat_tutorial.pdf
- https://cdn.shopify.com/s/files/1/0428/3318/2886/files/nezuwamedapejasel.pdf
- https://cdn.shopify.com/s/files/1/0433/6877/5841/files/jinogoganatojen.pdf
- https://89dbcaa7-aed2-4716-aa1f-4ba7f5b54336.filesusr.com/ugd/610d21_2431af4492474347b7f7d6e0a92a69a5.pdf?index=true
- https://b126585b-16d9-4727-8609-b53f1643eae3.filesusr.com/ugd/8d46c2_c894e5001cb44bd1a18309051ca0b266.pdf?index=true
- https://fb924e2d-c22e-4fe2-b8d1-5cf9f285b328.filesusr.com/ugd/e49726_88ef8a521f7e40e1aa0ca0235eeb74c0.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ce7.bin` `345985b59a1da0b8fabfe4bbba9e75efea34e7f4bfaf78c346eeb3a967602a0a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CE7	5308 bytes
`font_01_sfnt_off00007ed3.bin` `5d7d3c5ca2384aaccfbf83fa2397e3ac1bc55dab9705a16c131ac2c77a4c126b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7ED3	10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.