PDF malware analysis — malicious · c3cbd3bc4292ac23

MALICIOUS

PDF

44.1 KB Created: 2020-09-08 03:48:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 86474985fe34be0b31f21748b5301bd1 SHA-1: fdc4662023ee6c88919f5e0d4cdd99d9f82cf50a SHA-256: c3cbd3bc4292ac2334200a11d837d0f8d0338b5854c00f24677b4a0ae850b1ca

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, directing users to 'https://ttraff.me/wix?keyword=delphi+programming+guide+pdf'. This URL is presented within the document body, suggesting a social engineering lure to trick users into clicking it. The PDF also contains a large number of external links, many hosted on Shopify, which is flagged as a link farm. No scripts were extracted, and the document body appears to be largely obfuscated or contains metadata rather than readable content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=delphi+programming+guide+pdf
- https://cdn.shopify.com/s/files/1/0430/4892/7386/files/cartesian_form_equation_of_the_line.pdf
- https://cdn.shopify.com/s/files/1/0438/2549/6221/files/national_fccla_competitive_events_guide.pdf
- https://cdn.shopify.com/s/files/1/0430/9165/6855/files/58388666039.pdf
- https://cdn.shopify.com/s/files/1/0432/4658/3976/files/pimevoled.pdf
- https://cdn.shopify.com/s/files/1/0433/0982/6213/files/80543044885.pdf
- https://cdn.shopify.com/s/files/1/0437/6225/3982/files/alta_e_baixa_idade_mdia.pdf
- https://cdn.shopify.com/s/files/1/0462/3007/7594/files/bloemfontein_celtic_album.pdf
- https://static.usrfiles.com/ugd/7198c1_6fd3b19c9cdf4b288aee4e54f061d6b1.pdf
- https://static.usrfiles.com/ugd/71fd01_a55921c89e51492998923ca084a40a8c.pdf
- https://static.usrfiles.com/ugd/e23fbb_85f6c978b9e34c269f7c1ef81cdbf837.pdf
- https://static.usrfiles.com/ugd/3aee12_c437e4e33bb041c591ab0c4598aab06c.pdf
- https://cdn.shopify.com/s/files/1/0437/4098/7544/files/36790565446.pdf
- https://cdn.shopify.com/s/files/1/0437/7713/0658/files/tudibazuki.pdf
- https://cdn.shopify.com/s/files/1/0435/3759/6575/files/misezadigakugopodujinida.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005f62.bin` `79e2917d6cad2f1d21297100fbc43f26b1c00095a98a73a693d2e2780cbcdd01`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F62	5076 bytes
`font_01_sfnt_off00007078.bin` `a8ebe3cd38016271ec1d1fdb0c75136127b1d437e1ada7213e2a1c4efb8909c0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7078	10460 bytes
`font_02_sfnt_off000093fa.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x93FA	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.