PDF malware analysis — malicious · bea851ec1f38da67

MALICIOUS

PDF

46.9 KB Created: 2020-08-11 07:01:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5755b1a56a28b6b7873d4bd90f1a4e68 SHA-1: 31744b9fa6c475b0d19416c139547281ca656ab6 SHA-256: bea851ec1f38da67564cd48ecba1596545ebb44ec98b94acacc50f49c8cb131b

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link

The PDF contains a link farm designed to redirect users to malicious infrastructure, specifically identified as 'ttraff.com'. The document body, though heavily obfuscated, contains the malicious URL. This indicates a phishing or redirection attempt, likely to deliver a secondary payload or lead the user to a fraudulent site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=administracion+publica+privada+y+mixta+pdf
- http://files.oregonlumberworks.com/uploads/1/3/1/4/131406337/nibamexemevam.pdf
- http://files.dibarco.com/uploads/1/3/0/7/130775554/pewizikur_luwikuz.pdf
- http://files.hemporiumbeads.com/uploads/1/3/2/6/132682093/7327596.pdf
- http://files.alisalman.ca/uploads/1/3/1/6/131636651/1098389.pdf
- http://files.stellarinternationalnetworks.com/uploads/1/3/1/8/131871730/bagekezo.pdf
- https://cdn.shopify.com/s/files/1/0436/2131/8820/files/4407006392.pdf
- https://cdn.shopify.com/s/files/1/0430/2556/3799/files/18834284823.pdf
- https://cdn.shopify.com/s/files/1/0430/3729/4754/files/nitibumonexalado.pdf
- https://cdn.shopify.com/s/files/1/0434/2874/1285/files/colour_blind_test.pdf
- https://cdn.shopify.com/s/files/1/0433/6992/2714/files/kemofesid.pdf
- https://cdn.shopify.com/s/files/1/0433/7467/4083/files/zoxonobunivudagitajal.pdf
- https://cdn.shopify.com/s/files/1/0431/4926/3005/files/97795450303.pdf
- https://cdn.shopify.com/s/files/1/0434/2412/0984/files/wireniletupefisi.pdf
- https://cdn.shopify.com/s/files/1/0427/4647/8759/files/62267580871.pdf
- https://cdn.shopify.com/s/files/1/0440/2269/4046/files/54125911675.pdf
- https://cdn.shopify.com/s/files/1/0437/6556/3541/files/konaxiwozuzi.pdf
- https://cdn.shopify.com/s/files/1/0432/6329/5650/files/adventure_time_watch_guide.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0427/4647/8759/files/622675808

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000672b.bin` `a43897d486a3fc1d05d1fdab378360366658d5cb291c74e3ec8fe006ce1d3413`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x672B	5424 bytes
`font_01_sfnt_off0000797a.bin` `1152d27dfd7c1ed8d93df3032a587dc7c20fd2778aa4e3dbe42598cf6bf1274b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x797A	11164 bytes
`font_02_sfnt_off00009df3.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9DF3	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.