PDF malware analysis — malicious · c04f4f44b095cb91

MALICIOUS

PDF

110.3 KB Created: 2020-08-06 21:17:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9feb73b7eb21e1fcc3b208478ab2a3d1 SHA-1: 7cb703027c9ee1f85b714c1482bfc4faf384c58c SHA-256: c04f4f44b095cb91d3b4fab5933cd0023695ebb1150d8081c606f566eb8208d1

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic match for an advance-fee scam lure, indicating it's designed to trick users into believing they are owed a prize or parcel. It also contains a malicious redirector link to 'ttraff.com' and a link farm pointing to various PDF files hosted on Shopify. The document body, though heavily obfuscated, contains the malicious URL.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=chinua+achebe+the+african+trilogy+pdf
- http://files.burlingtonedisonlittleleague.com/uploads/1/3/1/3/131381428/4846565.pdf
- http://farojoles.svbarnquilts.org/uploads/1/3/0/9/130969060/notowon_dolon_teguvejaroboma.pdf
- http://files.pgsarts.co.uk/uploads/1/3/1/4/131436991/2bdb3f35e81.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mipubafuminidumef.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/20785775646.pdf
- https://cdn.shopify.com/s/files/1/0428/6709/7756/files/29078164593.pdf
- https://cdn.shopify.com/s/files/1/0433/1329/9620/files/lufukugixut.pdf
- https://cdn.shopify.com/s/files/1/0431/3127/3365/files/raxatag.pdf
- https://cdn.shopify.com/s/files/1/0432/0962/1665/files/duziden.pdf
- https://cdn.shopify.com/s/files/1/0432/3350/9534/files/barricades_and_scaffolds_safety_management.pdf
- https://cdn.shopify.com/s/files/1/0431/9831/6705/files/13239354524.pdf
- https://cdn.shopify.com/s/files/1/0427/7790/3263/files/jefenugakazozofikop.pdf
- https://cdn.shopify.com/s/files/1/0435/8848/5288/files/you_kick_my_dog.pdf
- https://cdn.shopify.com/s/files/1/0433/3761/3461/files/juvirunuxatutilexaxoke.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000163c5.bin` `52fa1091bcdb3fddcab7ddf86eba5ec9ab6ab8ca5d287d6a63655ebefd533b44`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x163C5	5388 bytes
`font_01_sfnt_off0001760a.bin` `6863ab037d593fcdc64e150d3d7247d4ea29b04cd87883d22715cf12ec608621`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1760A	12044 bytes
`font_02_sfnt_off00019d8f.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19D8F	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.