PDF malware analysis — malicious · b0c746e247cd2872

MALICIOUS

PDF

51.4 KB Created: 2020-08-30 23:46:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 83c785a6ecfa5c0e441931b2730dcb7d SHA-1: 98f90c9e8842b761df6c30d5d9b98c7b2ea0d3dd SHA-256: b0c746e247cd2872d069bd26bfb1af42edfcf07a5f4ee77c2239fd5b318823fd

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many pointing to Shopify domains. The document body, though heavily obfuscated, contains the malicious URL and references to 'Corruption of champions guide', suggesting a lure. The primary attack pattern involves redirecting the user to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=corruption+of+champions+guide
- https://cdn.shopify.com/s/files/1/0433/7028/3166/files/4804977072.pdf
- https://cdn.shopify.com/s/files/1/0434/9794/7300/files/16042888096.pdf
- https://cdn.shopify.com/s/files/1/0431/1682/2692/files/gravely_zt_42_parts.pdf
- https://cdn.shopify.com/s/files/1/0431/0443/6390/files/tekimuzolew.pdf
- https://cdn.shopify.com/s/files/1/0428/7863/2095/files/pressure_transducer_calibration_procedure.pdf
- https://cdn.shopify.com/s/files/1/0433/6258/2693/files/indesign_print_booklet_export.pdf
- https://cdn.shopify.com/s/files/1/0428/8148/2918/files/rapivesavidujexopafi.pdf
- https://cdn.shopify.com/s/files/1/0431/6767/8618/files/brochure_design_ideas.pdf
- https://cdn.shopify.com/s/files/1/0434/2225/3205/files/zakelololuvexexufinuw.pdf
- https://cdn.shopify.com/s/files/1/0432/8128/5286/files/gudokibezazarebarivoke.pdf
- https://cdn.shopify.com/s/files/1/0437/5104/7329/files/putawumuxewinemike.pdf
- https://cdn.shopify.com/s/files/1/0434/5279/2982/files/26934078050.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/sopituwoxo.pdf
- https://cdn.shopify.com/s/files/1/0428/1945/3095/files/12235215029.pdf
- https://cdn.shopify.com/s/files/1/0432/1509/3920/files/paint_colour_matching_scanner.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000748a.bin` `b936e9c7e70398c6e9a18493255057b5c7ac702010e98feca15efca237415a79`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x748A	5440 bytes
`font_01_sfnt_off000086dd.bin` `6fbe19eac0e45bf88a6f02774e8c79671e9036af4254fca9db3475036123ec15`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x86DD	10308 bytes
`font_02_sfnt_off0000aa59.bin` `1eb2d602a8f0fbd29cf35e28249ef192f748b5a163674ba4d9c287d47c1a48c9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAA59	16296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.