PDF malware analysis — malicious · b3fec0e4ddbecc4c

MALICIOUS

PDF

46.9 KB Created: 2020-08-23 14:06:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 735e5dbf0d809d90d26ee31a01e6d96c SHA-1: ed5a30b06dce94cb91ca29f8c4536e0b76389813 SHA-256: b3fec0e4ddbecc4c0301a3253c3d6b900964bf754ed98655bbe5ccfead1514ef

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link

The PDF contains a link farm with 15 external PDF links, a technique often used for SEO manipulation or to obscure malicious redirects. One of the URLs, 'https://ttraff.com/pify?keyword=new+web+templates+2019', is flagged as a known malicious redirector. The document body, though heavily obfuscated, contains this URL and another benign-looking Shopify URL, suggesting a lure to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=new+web+templates+2019
- http://jirir.su649.org/uploads/1/3/1/3/131380600/zupituje-jalovobesebafe-jowaj.pdf
- http://files.gardenspotrentals.net/uploads/1/3/2/6/132681938/finefenusavat.pdf
- http://vopele.mfinlayson.net/uploads/1/3/1/4/131482975/3518153.pdf
- http://linubo.jsptacek.com/uploads/1/3/0/8/130814328/sagurileki-malabunopubegen-jozaruluzedob.pdf
- http://gitame.tenniswos.co.uk/uploads/1/3/0/8/130874493/dakog-xatemibexulu.pdf
- https://cdn.shopify.com/s/files/1/0437/0428/7383/files/mazup.pdf
- https://cdn.shopify.com/s/files/1/0438/2710/1853/files/53564301159.pdf
- https://cdn.shopify.com/s/files/1/0457/8734/9148/files/car_driving_game_for_windows_7.pdf
- https://cdn.shopify.com/s/files/1/0431/0024/2077/files/jotafi.pdf
- https://cdn.shopify.com/s/files/1/0431/6420/5216/files/55542234637.pdf
- https://cdn.shopify.com/s/files/1/0435/4762/3592/files/compliance_officer_job_interview_questions_and_answers.pdf
- https://cdn.shopify.com/s/files/1/0430/6989/8914/files/effects_of_globalization_in_africa.pdf
- https://cdn.shopify.com/s/files/1/0437/1025/1176/files/zipikokimasobedunudewoxa.pdf
- https://cdn.shopify.com/s/files/1/0435/6440/0798/files/8486049700.pdf
- https://cdn.shopify.com/s/files/1/0440/3236/0613/files/61553628353.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006c63.bin` `cc01283c9502b729ede0f7f779707124c622f86a47919e1927d8c305bd8e8b04`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6C63	5076 bytes
`font_01_sfnt_off00007db6.bin` `481ce4de2acb6674ab3f6462891738d465d88d453a921bc38ad6885c4e9a5f1d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7DB6	10200 bytes
`font_02_sfnt_off0000a09a.bin` `ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA09A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.