PDF malware analysis — malicious · bdb97cb45ad60e39

MALICIOUS

PDF

34.0 KB Created: 2020-08-30 07:15:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5d657bd1b65c5c0aef8ee1ed3bb4e2f4 SHA-1: 0401568c30391d07e70e1cbd7d06e3d4f329e2bf SHA-256: bdb97cb45ad60e397a3393cf81596ea4ecfec6c537429800dd98341aef7764f0

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its inclusion of a large number of external links, a technique often used for SEO farms or to distribute further malicious content. One of the primary links directs to a known malicious redirector at 'ttraff.com'. While the document body contains garbled text and metadata indicating it was generated by wkhtmltopdf, the heuristic firings strongly suggest a malicious intent related to link manipulation and redirection.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=5.1+the+subjunctive+in+adjective+cla
- https://cdn.shopify.com/s/files/1/0438/7271/4920/files/bicycle_built_for_two_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0432/4212/7527/files/jogalabukubawumoxizamuril.pdf
- https://cdn.shopify.com/s/files/1/0432/8692/1376/files/tic_tac_toe_board.pdf
- https://cdn.shopify.com/s/files/1/0431/2937/2823/files/24172732032.pdf
- https://cdn.shopify.com/s/files/1/0432/6457/3593/files/32209950867.pdf
- https://cdn.shopify.com/s/files/1/0439/8543/6830/files/53487652327.pdf
- https://cdn.shopify.com/s/files/1/0436/9743/8875/files/gixuwekusi.pdf
- https://cdn.shopify.com/s/files/1/0435/0751/5558/files/dijupimenopixerezaropigil.pdf
- https://cdn.shopify.com/s/files/1/0433/0664/7717/files/siwuk.pdf
- https://cdn.shopify.com/s/files/1/0432/1555/2674/files/74905387566.pdf
- https://cdn.shopify.com/s/files/1/0432/2711/9784/files/kaabil_full_movie_hd_free.pdf
- https://cdn.shopify.com/s/files/1/0451/4965/1098/files/application_for_us_passport_fillable.pdf
- https://static.usrfiles.com/ugd/078c79_6af7979b627b4347af07f4ab83519283.pdf
- https://static.usrfiles.com/ugd/625844_ca61f1a5a7184b8b95268b224b8e7f68.pdf
- https://static.usrfiles.com/ugd/9dda13_8f3e99c48c7240a5be89fa0b8ea4939a.pdf
- https://static.usrfiles.com/ugd/accd1f_24703480d62a446c814e1848e02338c7.pdf
- https://static.usrfiles.com/ugd/b8c837_6fe4806c12d940f59fa3b05f91102399.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004838.bin` `986969e5b679e8425d357c070b5126eaa8d0abbb1b6f1ef8f11a2e05dde943fd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4838	5320 bytes
`font_01_sfnt_off00005a56.bin` `00b1fc66a91a55f9246dfe962a52d4bc15cbbc6b4c0d9b9b01e458cb355d0a5e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5A56	9684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.