PDF malware analysis — malicious · b4d4b0836aea9317

MALICIOUS

PDF

37.1 KB Created: 2020-08-12 06:44:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 49846c6a18f62651f916f7087b1c31a7 SHA-1: 160e430db9bc0204444aeb299fb011596d53c57f SHA-256: b4d4b0836aea9317a90fb9c95acab065ee636009ddd59f6c644b4dceb19ea5e2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=alleluia+de+taize+partition+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the same malicious URL and a benign-looking PDF title, suggesting a lure. No scripts were extracted, but the primary malicious activity appears to be redirection.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=alleluia+de+taize+partition+pdf
- http://files.divinosospiro.org/uploads/1/3/1/3/131383329/wowop.pdf
- http://kekomi.tracelearningcenter.com/uploads/1/3/1/6/131606289/koxozezeli.pdf
- http://xaxifi.windows8cardgames.com/uploads/1/3/0/7/130775045/2951580.pdf
- http://files.doucedivry.com/uploads/1/3/2/6/132695829/kodabojoxeboju-vabozapejad.pdf
- https://cdn.shopify.com/s/files/1/0429/1647/9132/files/vowosuwemowus.pdf
- https://cdn.shopify.com/s/files/1/0428/9930/8700/files/24131062242.pdf
- https://cdn.shopify.com/s/files/1/0434/4895/9141/files/nanaloxid.pdf
- https://cdn.shopify.com/s/files/1/0431/8766/7104/files/metaxataterutikatav.pdf
- https://cdn.shopify.com/s/files/1/0447/9169/3463/files/betrayal_harold_pinter_espaol.pdf
- https://cdn.shopify.com/s/files/1/0429/3623/8236/files/mebasasaw.pdf
- https://cdn.shopify.com/s/files/1/0431/8976/4245/files/66654593034.pdf
- https://cdn.shopify.com/s/files/1/0438/4607/4525/files/highland_cathedral_bagpipe_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0436/5287/4390/files/womajawudikudevosu.pdf
- https://cdn.shopify.com/s/files/1/0436/9452/2518/files/litabotogi.pdf
- https://cdn.shopify.com/s/files/1/0428/4016/2467/files/juwufemomide.pdf
- https://cdn.shopify.com/s/files/1/0429/5108/2143/files/28532930199.pdf
- https://cdn.shopify.com/s/files/1/0431/8189/9944/files/54040837327.pdf
- https://cdn.shopify.com/s/files/1/0430/1648/7065/files/kawula.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000051e2.bin` `586f44b4b6daf42e79b3e88dfff8be2fb0eff5c085f742130456e460fdc7d6f8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x51E2	4896 bytes
`font_01_sfnt_off0000629f.bin` `45c8e52cadbaef15aab5d4c4d0b9b57b50f74ea7883e8193573fb1cb04e74afb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x629F	10336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.