PDF malware analysis — malicious · af3334432aef2d1e

MALICIOUS

PDF

50.5 KB Created: 2020-08-24 01:32:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3cc5375f3d11a75f9622d210f1fbc803 SHA-1: 11235d81e2161b945b9088fd3893969fbc3be045 SHA-256: af3334432aef2d1eb7acbea40b2de217ab0cc379e6b7c90619dc83f05ebb860e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a link farm hosted on Shopify. One of the primary links, 'https://ttraff.com/pify?keyword=surf+report+gruissan', is flagged as a malicious redirector. This suggests the document is designed to drive traffic to malicious infrastructure, likely for phishing or malware distribution. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=surf+report+gruissan
- http://sunejivi.missouriinstituteofhypnotherapy.com/uploads/1/3/1/8/131871674/1423707.pdf
- http://files.upygeo.com/uploads/1/3/1/4/131407144/5de93.pdf
- http://files.sommerranchbordercollies.com/uploads/1/3/0/7/130776509/vukafoxitodex-novojigu-nagig.pdf
- http://files.ccsoa.net/uploads/1/3/2/6/132681749/munapapodusel-wetaxuva-nizunodoju-lisigiwotadi.pdf
- http://tifega.uuhk.org/uploads/1/3/0/9/130969723/gikabafivobaf.pdf
- https://cdn.shopify.com/s/files/1/0434/3575/3639/files/55432770484.pdf
- https://cdn.shopify.com/s/files/1/0439/1347/8312/files/76302412814.pdf
- https://cdn.shopify.com/s/files/1/0428/1312/8867/files/dojusemikis.pdf
- https://cdn.shopify.com/s/files/1/0431/6197/6994/files/agastya_samhita_in_english.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/96258555683.pdf
- https://cdn.shopify.com/s/files/1/0437/8374/9781/files/poniwewenuloxabilex.pdf
- https://cdn.shopify.com/s/files/1/0432/5038/5051/files/jadorofirinibiza.pdf
- https://cdn.shopify.com/s/files/1/0440/3062/3894/files/84500775399.pdf
- https://cdn.shopify.com/s/files/1/0429/4508/5606/files/rt-_6_form.pdf
- https://cdn.shopify.com/s/files/1/0429/6415/6575/files/nuzenakinazisazudaxew.pdf
- https://cdn.shopify.com/s/files/1/0439/2386/5768/files/auditing_and_investigation_ican.pdf
- https://cdn.shopify.com/s/files/1/0433/0936/7461/files/92756397588.pdf
- https://cdn.shopify.com/s/files/1/0432/2027/1259/files/wexezur.pdf
- https://cdn.shopify.com/s/files/1/0429/9092/8026/files/calendario_agricultura_biodinmico_2020.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008312.bin` `da168a359a10398b597031615395d6234e3fac53f867c57022cace900d69d725`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8312	5140 bytes
`font_01_sfnt_off000094a2.bin` `28e3536d3bf2209dc86c6c0bbdb191043811dbaa6e50f8e53eeeaf7cc86f890a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x94A2	12680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.