PDF malware analysis — malicious · b79c48ac3c242ef9

MALICIOUS

PDF

41.8 KB Created: 2020-08-04 14:58:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 71f81f31c034c46b168a58cbf842266d SHA-1: 95ac06bc23f6479e4869c3970a608dbb5303328b SHA-256: b79c48ac3c242ef9cf1fd382055bd8a1f846d72932d65299c7b07890f7540a9b

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on various domains, including a significant number on cdn.shopify.com. One critical heuristic identified a link to a known malicious redirector infrastructure at 'https://ttraff.cc/pify?keyword=circuito+electrico+pdf'. This suggests the document is designed to trick users into clicking malicious links, likely leading to phishing pages or malware downloads. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=circuito+electrico+pdf
- http://files.jinkymarsh.com/uploads/1/3/1/6/131636792/fovulajejisavaf-vavatuj-bonadaboda-kajuko.pdf
- http://files.comesailingcharterschicago.com/uploads/1/3/1/4/131437385/jadogefefu-nadowegez-zelud.pdf
- http://files.angloburmeselibrary.com/uploads/1/3/1/3/131380107/e876a.pdf
- http://files.beaumonttennisacademy.com/uploads/1/3/0/7/130776812/2996223.pdf
- https://cdn.shopify.com/s/files/1/0432/5939/6254/files/31475461038.pdf
- https://cdn.shopify.com/s/files/1/0434/5279/2982/files/44422207807.pdf
- https://cdn.shopify.com/s/files/1/0430/7048/8730/files/sefitawujubon.pdf
- https://cdn.shopify.com/s/files/1/0436/0231/3373/files/98295862630.pdf
- https://cdn.shopify.com/s/files/1/0434/6046/0706/files/12160498806.pdf
- https://cdn.shopify.com/s/files/1/0434/5177/7185/files/mokefasetobapiterol.pdf
- https://cdn.shopify.com/s/files/1/0430/9339/3557/files/mefen.pdf
- https://cdn.shopify.com/s/files/1/0437/6746/4093/files/jomulowenomune.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/94323725826.pdf
- https://cdn.shopify.com/s/files/1/0434/1052/2277/files/muzibisetozazozogelekuzu.pdf
- https://cdn.shopify.com/s/files/1/0433/0727/0297/files/mepokefusimulisun.pdf
- https://cdn.shopify.com/s/files/1/0439/7580/3038/files/wutigupezupusatuni.pdf
- https://cdn.shopify.com/s/files/1/0431/6112/5013/files/vufuluxakoxipeluxi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064a7.bin` `8cbaa4117f615b8181316a37c4dacc8314b69e55d9c09bd715ee3cebdecafc7a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64A7	4664 bytes
`font_01_sfnt_off00007496.bin` `3504f28817d9a4c8e5c8bc73a431d00d72e7864d603c8264c847d5d20e7b11e3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7496	11192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.