PDF malware analysis — malicious · bf638c09ff0a763f

MALICIOUS

PDF

60.5 KB Created: 2020-08-01 07:33:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4e2c15bf07d243765826797369c831de SHA-1: f8fc150041f4523c5d0952bda9dcb2b063e1f86b SHA-256: bf638c09ff0a763f4e555407824f6e713aec9133ba4a88b844d65f9966c805a8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its structure, which includes a mass external PDF link farm. The primary malicious indicator is the presence of a link to a known malicious redirector infrastructure at 'https://ttraff.cc/pify?keyword=d%2526+d+stealth'. Additionally, numerous links to PDFs hosted on cdn.shopify.com were found, with one specific example being 'https://cdn.shopify.com/s/files/1/0434/3323/0488/files/savings_bonds_calculator.pdf'. The file's purpose appears to be SEO manipulation or redirection to malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=d%2526+d+stealth
- http://files.muzen.org/uploads/1/3/2/6/132681482/nerekivituwujidese.pdf
- http://files.kungfuabq.com/uploads/1/3/1/3/131379590/subagezejexalog-vizin-vezuket.pdf
- http://files.carolinewisejourney.com/uploads/1/3/2/6/132683264/xubadabiwekiwita.pdf
- http://files.simixlaundrydetergent.com/uploads/1/3/1/6/131606965/tojigupaxikiramimur.pdf
- https://cdn.shopify.com/s/files/1/0434/3323/0488/files/savings_bonds_calculator.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pizegavegip.pdf
- https://cdn.shopify.com/s/files/1/0432/8180/9558/files/tikexoxones.pdf
- https://cdn.shopify.com/s/files/1/0428/3318/2886/files/vofubomidobe.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/juzopuzenafososokazulu.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/banefidofekadozimodomi.pdf
- https://cdn.shopify.com/s/files/1/0439/1868/8424/files/fununutaxejuwijesutufime.pdf
- https://cdn.shopify.com/s/files/1/0439/3621/9291/files/95919438095.pdf
- https://cdn.shopify.com/s/files/1/0430/3526/3138/files/11199966534.pdf
- https://cdn.shopify.com/s/files/1/0428/2348/3548/files/wepusidibufigudozasasa.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/3100392900.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006b76.bin` `5ae3bcc49c87f96444fbe3d11ff27db43b6aea299416b9f3d286273c64098da8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B76	4156 bytes
`font_01_sfnt_off000079a4.bin` `556422d5bd12d0a69cc119bdc61bd59590eee1ca73e05b5edf093d959ec7dc87`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79A4	37804 bytes
`font_02_sfnt_off0000ca29.bin` `844ffddd2d988bf50cd6e6c9b5a56fe6f2ee3edd9c602e3325e51e047dd52fdd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCA29	17784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.