PDF malware analysis — malicious · c12728064f17c5e3

MALICIOUS

PDF

45.7 KB Created: 2020-08-14 09:11:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 908f03d9a515e0203af42c5b75f7fb58 SHA-1: 803c3dafe70d569a099c3c56a3dbccaf1f1eb795 SHA-256: c12728064f17c5e3fc76e7e48c8c4be2ea8b9280d3e52c9021efb604456fedbb

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic identifying it as a malicious redirector link farm. The primary redirector URL is `https://ttraff.cc/pify?keyword=html+template+golang+example`, which is likely used to funnel victims to malicious content. The document body, though heavily obfuscated, also contains this URL and other links to Shopify-hosted PDFs, suggesting a lure to download further malicious content or visit compromised sites.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=html+template+golang+example
- http://files.undergraduatebusinesscouncil.com/uploads/1/3/1/6/131606006/sosamasegan-fulupudiz-ladesodibatim-dipuxapafo.pdf
- http://wagapew.catmintcottagestreetcatrescue.com.au/uploads/1/3/2/3/132303382/4431803.pdf
- http://bovunu.redrocksins.com/uploads/1/3/2/6/132695832/8569761.pdf
- http://files.smsyates.com/uploads/1/3/1/4/131454317/guwuvulevixe-fenajir.pdf
- http://delezo.cliffjacobsonmft.com/uploads/1/3/0/7/130776644/nefakop-mewajejeda-nuzuretugin.pdf
- https://cdn.shopify.com/s/files/1/0430/2857/8467/files/javascript_project_ideas.pdf
- https://cdn.shopify.com/s/files/1/0432/3957/1611/files/zagefiwukeso.pdf
- https://cdn.shopify.com/s/files/1/0434/3850/6146/files/adobe_after_effects_tutorial_free_download.pdf
- https://cdn.shopify.com/s/files/1/0438/1789/4050/files/78013262646.pdf
- https://cdn.shopify.com/s/files/1/0431/9471/2228/files/89821893159.pdf
- https://cdn.shopify.com/s/files/1/0433/8568/4124/files/offensive_security_certified_professional.pdf
- https://cdn.shopify.com/s/files/1/0430/9454/0439/files/asco_catalog.pdf
- https://cdn.shopify.com/s/files/1/0435/9415/4146/files/34762042289.pdf
- https://cdn.shopify.com/s/files/1/0431/5856/9128/files/state_machine_in_c.pdf
- https://cdn.shopify.com/s/files/1/0429/7677/2250/files/nirajelimosoke.pdf
- https://cdn.shopify.com/s/files/1/0437/3915/2535/files/zotipumemixiwoxufadabiva.pdf
- https://cdn.shopify.com/s/files/1/0431/8131/0114/files/loweze.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000071c3.bin` `1ce62c2f5436430cc96dddc97ebf2ff1cc78f4de09f4fd339734e8e8bd66ef05`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71C3	4896 bytes
`font_01_sfnt_off00008256.bin` `4426124c16fb0b9a8b6dab2aaf3170cee83f0abc124e1fd72d555189fc1449dc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8256	11760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.