PDF malware analysis — malicious · bfda74558c5f2c5f

MALICIOUS

PDF

44.0 KB Created: 2020-08-22 17:00:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9342da62fb9511b980de36e24f0822b3 SHA-1: 36ee3e2e9bbdb29fd153355c20bb864bfdd5fb82 SHA-256: bfda74558c5f2c5f937836d3519a14029f305539d46eb283d60fb0ae56804117

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=watercolor+paper+sizes+full+sheet'. Additionally, it features a link farm with numerous external PDF links, including 'https://cdn.shopify.com/s/files/1/0433/7146/2814/files/sectionalism_civil_war_worksheet.pdf'. The document body, though heavily obfuscated, contains text related to 'Watercolor paper sizes full sheet' and the wkhtmltopdf tool, suggesting a lure to disguise the malicious intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=watercolor+paper+sizes+full+sheet
- http://files.tuskertravels.org/uploads/1/3/1/4/131437976/junasevutixoke.pdf
- http://files.briannaholt.com/uploads/1/3/0/7/130738911/bfd8be9ac.pdf
- https://cdn.shopify.com/s/files/1/0433/7146/2814/files/sectionalism_civil_war_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0438/2598/7734/files/ford_tractor_parts_diagram.pdf
- https://cdn.shopify.com/s/files/1/0431/5951/9387/files/nightmare_before_christmas_revisited.pdf
- https://cdn.shopify.com/s/files/1/0431/4628/1120/files/vawagawozusor.pdf
- https://cdn.shopify.com/s/files/1/0440/6099/9845/files/numewemebaxorefosurosavi.pdf
- https://cdn.shopify.com/s/files/1/0430/8071/2346/files/nolekez.pdf
- https://cdn.shopify.com/s/files/1/0428/3708/2271/files/56587603724.pdf
- https://cdn.shopify.com/s/files/1/0430/8844/5591/files/oslo_middle_school.pdf
- https://cdn.shopify.com/s/files/1/0435/4372/4186/files/19205064926.pdf
- https://cdn.shopify.com/s/files/1/0431/0709/0589/files/98309122352.pdf
- https://cdn.shopify.com/s/files/1/0433/6707/1894/files/lukatoxipeli.pdf
- https://cdn.shopify.com/s/files/1/0433/7175/7718/files/29980849669.pdf
- https://cdn.shopify.com/s/files/1/0431/7013/6230/files/aluminium_phosphide_poisoning_treatment.pdf
- https://cdn.shopify.com/s/files/1/0436/9186/8313/files/cool_math_games_ninja_painters.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006e0e.bin` `aa9da76ac7dfe8efdaea504335f9f80389cc7ba81865e68003601accca488662`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6E0E	5164 bytes
`font_01_sfnt_off00007fab.bin` `5bb432e0d88df262eac536e13374a7308d57728ef735bc5a99f7639d412dc498`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7FAB	10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.