PDF malware analysis — malicious · b7088d9a7a055479

MALICIOUS

PDF

34.7 KB Created: 2020-08-29 06:54:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 799e01a5366e89244ec530d1f646c5b2 SHA-1: 4c37ab65c5fbddc122f0a2a9c09675a1d11380fb SHA-256: b7088d9a7a0554794de6e677e816ab7e83cf1ac9e222b409740e7f72b6b5b642

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=mankiw+principles+of+economics+7th+e'. It also exhibits characteristics of a PDF link farm, with numerous embedded links, many pointing to Shopify domains. The document body, though heavily obfuscated, contains text related to 'Mankiw principles of economics 7th e', suggesting a lure to disguise the malicious intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=mankiw+principles+of+economics+7th+e
- https://cdn.shopify.com/s/files/1/0429/5308/0985/files/24097233146.pdf
- https://cdn.shopify.com/s/files/1/0463/1619/1904/files/chicken_invaders_6.pdf
- https://cdn.shopify.com/s/files/1/0438/1474/8322/files/95607368406.pdf
- https://cdn.shopify.com/s/files/1/0437/1388/8405/files/monodentate_ligand.pdf
- https://cdn.shopify.com/s/files/1/0435/3726/8900/files/74767793135.pdf
- https://cdn.shopify.com/s/files/1/0431/8907/6117/files/fizofumavalaguwasolo.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/84312174386.pdf
- https://cdn.shopify.com/s/files/1/0431/9156/6493/files/calendario_de_siembra_mexico_2020.pdf
- https://cdn.shopify.com/s/files/1/0433/0799/1208/files/anemia_por_deficiencia_de_hierro_en_el_embarazo.pdf
- https://cdn.shopify.com/s/files/1/0434/6059/1776/files/15624997072.pdf
- https://cdn.shopify.com/s/files/1/0431/1279/2221/files/designing_data_intensive_applications_free.pdf
- https://cdn.shopify.com/s/files/1/0450/5174/0310/files/fisiopatologia_da_hernia_de_disco.pdf
- https://cdn.shopify.com/s/files/1/0427/9356/6364/files/40551262399.pdf
- https://static.usrfiles.com/ugd/b8c837_896d13de34924b1e8fcb7f854960b5df.pdf
- https://static.usrfiles.com/ugd/b8c837_563e00509e5f4d25a3223ff5547c9d4d.pdf
- https://static.usrfiles.com/ugd/b8c837_3a8b07f1bdc742179441e9bc251b0cc7.pdf
- https://static.usrfiles.com/ugd/b8c837_cd5c1e5383ec4a6cb593011b71e4da39.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004a58.bin` `7a3b3d49d342ab675723afd40f6f22431cb8d9660aa4c3b540190192568b039c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4A58	5496 bytes
`font_01_sfnt_off00005cf8.bin` `0eb83447a64a258d24ed63b7d983066289142c779c028440555d915b8ca774a5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5CF8	9616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.