PDF malware analysis — malicious · c2fa267630c94961

MALICIOUS

PDF

49.4 KB Created: 2020-09-05 01:07:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 719cd042a51c1b73d1d234263f9a2546 SHA-1: 4ace59d3a33b944ebf16695128db01f494cf390c SHA-256: c2fa267630c949617e8178c3257d8f925ad2730fa3f16e840bbe37634997636e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/pify?keyword=nhs+8+healthy+eating+guidelines'. This URL is presented within the document body, disguised as NHS healthy eating guidelines, indicating a social engineering lure. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to Shopify domains, likely for SEO manipulation or to host further malicious content. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/pify?keyword=nhs+8+healthy+eating+guidelines
- https://cdn.shopify.com/s/files/1/0429/2801/3475/files/40023814481.pdf
- https://cdn.shopify.com/s/files/1/0429/8326/0314/files/wibetexulusuv.pdf
- https://cdn.shopify.com/s/files/1/0430/0832/7829/files/gefotewibo.pdf
- https://cdn.shopify.com/s/files/1/0430/6193/6282/files/amulet_book_5_full_book.pdf
- https://static.usrfiles.com/ugd/610d21_2b4bad80dceb46d5938fffebeec20180.pdf
- https://static.usrfiles.com/ugd/19103d_d813bf6570dd4a68ad2558fed6623c50.pdf
- https://static.usrfiles.com/ugd/f67134_a64d05746b894aeaa650ce6dc5822705.pdf
- https://cdn.shopify.com/s/files/1/0433/6399/1717/files/renurugelofi.pdf
- https://cdn.shopify.com/s/files/1/0433/7228/2008/files/dukadulodusutedasegururo.pdf
- https://cdn.shopify.com/s/files/1/0437/7464/0286/files/jumelagusogi.pdf
- https://cdn.shopify.com/s/files/1/0435/1423/3000/files/bralette_sewing_pattern.pdf
- https://cdn.shopify.com/s/files/1/0430/8323/5489/files/11367260204.pdf
- https://static.usrfiles.com/ugd/2b3f46_e29d245022624abb8e982f08f2f3e3dd.pdf
- https://static.usrfiles.com/ugd/5a4aad_bfd17f388c9043cd97fef60b7e08003c.pdf
- https://static.usrfiles.com/ugd/510a18_f28415606e7940cb9eeef577be6178d8.pdf
- https://static.usrfiles.com/ugd/b8c837_70794ba9d425445caab772f7e50515e8.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000073ff.bin` `de0f43688fab3397421e9c0d1b732cdff98defbe47ab17ec5c3534f496391cba`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73FF	5028 bytes
`font_01_sfnt_off0000850c.bin` `de0575ef3ec1d1e0a0ddec286475fc90e2de9c20b1277e73af0d80bca946485e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x850C	10416 bytes
`font_02_sfnt_off0000a894.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA894	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.