PDF malware analysis — malicious · b2b8262cc51ea017

MALICIOUS

PDF

51.5 KB Created: 2020-08-14 15:41:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 854e2df4cc7a41853fb2a3c11ece1afa SHA-1: b84179c65c311266c4f8918fccad26ad1a32044e SHA-256: b2b8262cc51ea017aa0be3078a41599fdaa91c9182a5b85cce2d114f76b5b2cf

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on Shopify. One of the primary links, 'https://ttraff.cc/pify?keyword=xiaomi+mi+a2+android+one+6%252F+128gb', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this same URL, suggesting the document's purpose is to redirect the user to malicious infrastructure, likely for phishing or a scam.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=xiaomi+mi+a2+android+one+6%252F+128gb
- http://files.danielswkatz.com/uploads/1/3/0/8/130814717/mojutatugumosak_lotisitujux_zegutewededa_nulaxigan.pdf
- http://vefugo.thewellchurchoflewisville.org/uploads/1/3/1/1/131163772/pajotoriwutelagu.pdf
- http://files.crotonlibrary.org/uploads/1/3/1/3/131383480/sedidakavurabafi.pdf
- https://cdn.shopify.com/s/files/1/0433/0048/7332/files/tavudufugaroturoxile.pdf
- https://cdn.shopify.com/s/files/1/0431/1141/5962/files/cetoacidosis_diabetica_y_estado_hiperosmolar_fisiopatologia.pdf
- https://cdn.shopify.com/s/files/1/0431/0332/2269/files/90920741506.pdf
- https://cdn.shopify.com/s/files/1/0432/7741/8656/files/zefuneseked.pdf
- https://cdn.shopify.com/s/files/1/0437/4550/9537/files/milonijuwawebebek.pdf
- https://cdn.shopify.com/s/files/1/0436/0473/8206/files/27186045489.pdf
- https://cdn.shopify.com/s/files/1/0432/4379/8683/files/dowidukutuxiwar.pdf
- https://cdn.shopify.com/s/files/1/0430/7602/6522/files/63273467519.pdf
- https://cdn.shopify.com/s/files/1/0432/0352/6820/files/sailor_moon_manga_completo.pdf
- https://cdn.shopify.com/s/files/1/0435/7881/8715/files/51797058161.pdf
- https://cdn.shopify.com/s/files/1/0430/8100/7255/files/map_in_scheme.pdf
- https://cdn.shopify.com/s/files/1/0434/2556/2785/files/authorization_to_release_information.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006bb7.bin` `19f8e1943a8453b7a2aeb3d21a07559700bace6bf57f87ea52aa2c2aec3e96ea`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6BB7	5620 bytes
`font_01_sfnt_off00007ec4.bin` `d036d59b74a40c742af2468b332fdb8a6c9aaa6d2b1ae88622f929ba7b18a846`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7EC4	17612 bytes
`font_02_sfnt_off0000ac4d.bin` `39b2f4b99ee08965fd4836f89f628a00cde8346cb181131bba0308e80db8fb67`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAC4D	16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.