PDF malware analysis — malicious · c52e647e962bb799

MALICIOUS

PDF

42.5 KB Created: 2020-09-02 14:53:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4f138c7268b26f5bff71b6ed465cb2a9 SHA-1: 28f745a150539611f88205c31f18b9185d5ef17a SHA-256: c52e647e962bb7990bf10549b539266d409e2bcf51d4ae33be7aaefa02dcad3f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/wix?keyword=april+2019+act+math+answers'. This URL is presented within the document body, suggesting a social engineering attempt to trick the user into clicking it. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on Shopify. The primary malicious URL is the most critical IOC.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=april+2019+act+math+answers
- https://cdn.shopify.com/s/files/1/0433/4754/2175/files/fixipawanedosivorutenij.pdf
- https://cdn.shopify.com/s/files/1/0433/6179/6248/files/fepavelexizerajalalorone.pdf
- https://cdn.shopify.com/s/files/1/0428/3373/9932/files/airbnb_brand_guidelines.pdf
- https://cdn.shopify.com/s/files/1/0428/4848/5535/files/tejomababe.pdf
- https://cdn.shopify.com/s/files/1/0463/7717/3147/files/shave_biopsy_procedure_note_template.pdf
- https://cdn.shopify.com/s/files/1/0433/4406/8773/files/vodibasorugapuwe.pdf
- https://cdn.shopify.com/s/files/1/0434/2913/4487/files/42152238419.pdf
- https://cdn.shopify.com/s/files/1/0431/9661/2768/files/craftsman_12_inch_band_saw_sander.pdf
- https://static.usrfiles.com/ugd/fbccce_ba54436c6aa848069501d9cd71831316.pdf
- https://static.usrfiles.com/ugd/7041e4_c9cf2648cffc406ea13773fe37f15037.pdf
- https://static.usrfiles.com/ugd/76156b_fc2575154f7240edb7b19dee85441947.pdf
- https://static.usrfiles.com/ugd/10b11f_36abc0749cf74c80a9eeb757efa01f73.pdf
- https://static.usrfiles.com/ugd/b8c837_799b02a85d4849f987a7ce7c1253f38f.pdf
- https://static.usrfiles.com/ugd/b8c837_727369acb38440cc9e82b2393f2d1ed3.pdf
- https://static.usrfiles.com/ugd/b8c837_2127aa53c9f34d248654fed367439231.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000059dc.bin` `0271992afd511bbdf6e911d4cea3b6bfd6b50b7e7d0a8f8cfe6c3059fb68d300`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x59DC	5416 bytes
`font_01_sfnt_off00006c1b.bin` `1c9c1ce12504cfc07bdd2dd51158c13f359b9eec172a182c74da00f776e7e568`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6C1B	10200 bytes
`font_02_sfnt_off00008ed2.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8ED2	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.