PDF malware analysis — malicious · c04b8c4c4f1e31f5

MALICIOUS

PDF

45.5 KB Created: 2020-08-23 19:51:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 70e0b11a7b4afbb4e8d2526d8055040d SHA-1: f76fdd200b8dfb7bf96d23080b6feccfe4895930 SHA-256: c04b8c4c4f1e31f55772d531956c2e72d1c56c294eb352c6ab5d621fb9702c0c

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=good+morning+photos+new+hd', which is flagged as malicious. Additionally, a large link farm pointing to various PDFs on cdn.shopify.com was detected, suggesting a potential SEO poisoning or link distribution tactic.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=good+morning+photos+new+hd
- http://files.sayyestothecake.com/uploads/1/3/2/7/132740778/tapavizer_wikos_zagiwujajiv.pdf
- http://files.jimmylenman.com/uploads/1/3/0/7/130776591/refogepenosidanuxi.pdf
- http://files.theemergencefoundation.com/uploads/1/3/1/0/131070918/padejofakuvej-juvuwufafajat-xefulanoxi-zutuwe.pdf
- http://files.sarahgayler.com/uploads/1/3/1/4/131453869/44c0594d5fa.pdf
- https://cdn.shopify.com/s/files/1/0466/2683/2549/files/back_to_school_uniforms_walmart.pdf
- https://cdn.shopify.com/s/files/1/0438/3378/6528/files/56055836478.pdf
- https://cdn.shopify.com/s/files/1/0436/0224/7838/files/67953746991.pdf
- https://cdn.shopify.com/s/files/1/0429/5258/9465/files/69720861931.pdf
- https://cdn.shopify.com/s/files/1/0436/8180/8549/files/tejaxiluxefajuk.pdf
- https://cdn.shopify.com/s/files/1/0432/9085/3540/files/xuguwogugi.pdf
- https://cdn.shopify.com/s/files/1/0430/7809/0901/files/jakukevari.pdf
- https://cdn.shopify.com/s/files/1/0440/4976/0421/files/activity_ratio_formula.pdf
- https://cdn.shopify.com/s/files/1/0429/8620/9439/files/activex_control_in_vb_6._0.pdf
- https://cdn.shopify.com/s/files/1/0437/7369/0017/files/6751489365.pdf
- https://cdn.shopify.com/s/files/1/0427/4411/9462/files/zekezotorise.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rasebiv.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006cdc.bin` `9fdc53925dcd92edce92384b003cf93c2bebb1fbdd4b00563495a45c3ac2cc82`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CDC	5256 bytes
`font_01_sfnt_off00007ea7.bin` `e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7EA7	1800 bytes
`font_02_sfnt_off00008734.bin` `8f4cd7c462d691ba9685659606134ac92fe467d65be8a6443cd91129dd9a756b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8734	9960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.