PDF malware analysis — malicious · c1154fbc432055bf

MALICIOUS

PDF

72.5 KB Created: 2020-08-08 01:44:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 605b463659508f1555b811f4fb6c24e6 SHA-1: 46c3df5df43ea61d497a1b5b38749d3f2ce71c12 SHA-256: c1154fbc432055bfa391856e4801fb3141e965f3f201284aa6129e234cef0924

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one identified as a malicious redirector pointing to 'ttraff.com'. This suggests a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains the same malicious URL. The presence of numerous external links, including a large number hosted on 'cdn.shopify.com', indicates a link farm strategy to potentially obscure the true malicious destination or to increase visibility through SEO manipulation.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=schistosomiasis+disease+pdf
- http://files.mothersforothers.org/uploads/1/3/0/7/130739450/5c15bbe.pdf
- http://files.compositiona.com/uploads/1/3/0/8/130813997/7966125.pdf
- http://files.cruzinapparel.com/uploads/1/3/1/0/131070402/zefojuxuba-wavukebob-gotagutenusaj.pdf
- http://files.uptomogood.com/uploads/1/3/0/8/130874109/safiwefaw-xalop-xobapekavezi-laxabofesowoxuv.pdf
- https://cdn.shopify.com/s/files/1/0433/2745/5400/files/17671174817.pdf
- https://cdn.shopify.com/s/files/1/0434/8382/4294/files/fefazovatuv.pdf
- https://cdn.shopify.com/s/files/1/0435/3979/2021/files/xiwinabajadikamisox.pdf
- https://cdn.shopify.com/s/files/1/0432/7338/8190/files/vonafe.pdf
- https://cdn.shopify.com/s/files/1/0432/4311/0555/files/xojerodibozidut.pdf
- https://cdn.shopify.com/s/files/1/0427/6014/3014/files/cambridge_english_starters.pdf
- https://cdn.shopify.com/s/files/1/0431/9179/5875/files/84910631221.pdf
- https://cdn.shopify.com/s/files/1/0438/7920/2984/files/tipodizev.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/74832969368.pdf
- https://cdn.shopify.com/s/files/1/0428/5834/8700/files/wetogunezikotekizonodaj.pdf
- https://cdn.shopify.com/s/files/1/0431/0204/4316/files/semuzotesebu.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/jojanasesejunuveko.pdf
- https://cdn.shopify.com/s/files/1/0428/1312/8871/files/nigigapekositudediruku.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000dbf1.bin` `9a522a88c0a901f16bd33d8ba5ed9741d9dbd37b421cdc3e4b470be740292210`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDBF1	5372 bytes
`font_01_sfnt_off0000ee16.bin` `937058420d2535d9892562bdc1bf957b1e38535bf67ca48ada213fa3b84448ba`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEE16	11244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.