PDF malware analysis — malicious · bb8689471991ef36

MALICIOUS

PDF

38.6 KB Created: 2020-08-24 01:39:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 463adea7f219f58ba53db6068998e1d4 SHA-1: 784a52df14ceb1fb6acb9e6e6a708e7a3c245ba4 SHA-256: bb8689471991ef367659fa2935a836618c2760ffc1f11c87c2016c5aa3302147

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a direct link to a known malicious redirector, ttraff.com. The document body, though heavily obfuscated, contains text related to 'emergency preparedness response course post test answers' and the malicious URL, suggesting a lure to trick users into clicking the link. The redirector likely leads to further malicious content or exploits. No scripts were extracted, limiting the analysis of the payload.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=emergency+preparedness+response+course+post+test+answers
- http://figutisaj.bryandilionnis.com/uploads/1/3/1/0/131070458/fakotero.pdf
- http://vetapola.lingg.us/uploads/1/3/1/4/131438379/1475667.pdf
- http://files.andrewwittkamper.com/uploads/1/3/1/4/131484728/1b71af8562abd49.pdf
- http://fumanusin.disasterdiary.org/uploads/1/3/1/3/131398360/8711035.pdf
- http://jugejukej.seductive-tseve.com/uploads/1/3/0/7/130740169/sawedun-vibiwepoba-tudifux-betole.pdf
- https://cdn.shopify.com/s/files/1/0429/9980/8149/files/apartheid_education_system_in_south_africa.pdf
- https://cdn.shopify.com/s/files/1/0427/8249/0791/files/nrsv_study_bible.pdf
- https://cdn.shopify.com/s/files/1/0428/7240/6179/files/administrao_da_produo_livro.pdf
- https://cdn.shopify.com/s/files/1/0441/3207/3624/files/gesofokut.pdf
- https://cdn.shopify.com/s/files/1/0430/8297/3346/files/girozorijatog.pdf
- https://cdn.shopify.com/s/files/1/0436/1030/8765/files/legemuso.pdf
- https://cdn.shopify.com/s/files/1/0430/7881/1797/files/789625473.pdf
- https://cdn.shopify.com/s/files/1/0434/5652/8544/files/jidasebubogo.pdf
- https://cdn.shopify.com/s/files/1/0432/8580/7269/files/purimajejepixu.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/25424470269.pdf
- https://cdn.shopify.com/s/files/1/0438/7821/9944/files/45036492495.pdf
- https://cdn.shopify.com/s/files/1/0440/7630/2486/files/ravojoje.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/56773010908.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000057ba.bin` `adb6717bc0eefedcf3274b51085d6c8bd04554f754964621676721e83d78f87d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x57BA	5512 bytes
`font_01_sfnt_off00006a73.bin` `daac9dc3c6474748a5a2e9b77620130ec0797647d6802026be97169cf12d8d76`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A73	9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.