PDF malware analysis — malicious · c6076677ebaf41ba

MALICIOUS

PDF

54.0 KB Created: 2020-08-02 12:30:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7e7623631b1d2cbb38ef12dae43d681c SHA-1: be119850eb9d1a65ee7aa40cf06cadf1ec006be5 SHA-256: c6076677ebaf41ba387f78330368d950011fabbe591ed010f9d1b4f0b17c6eef

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains numerous embedded links, a technique often used for SEO farms or to redirect users to malicious sites. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.com/pify?keyword=pewdiepie+seed+minecraft'. The document body, though heavily obfuscated, also contains this URL and references to other PDF files hosted on Shopify, suggesting a link farm or redirection strategy. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=pewdiepie+seed+minecraft
- http://files.courtingkenya.com/uploads/1/3/1/0/131071231/aa6e2883412448.pdf
- http://files.wakecountybands.com/uploads/1/3/1/4/131453459/bopoxoxonazur-defuduvixejar-mikof-xoxujivivaxiz.pdf
- http://files.modcitygallery.com/uploads/1/3/0/7/130775387/4652090.pdf
- http://files.fablegroundscoffee.com/uploads/1/3/1/3/131384721/xigagoguxusa.pdf
- http://files.thaddeusproduction.com/uploads/1/3/2/6/132681647/zokiwaxujosazekukog.pdf
- https://cdn.shopify.com/s/files/1/0432/2865/9874/files/jibanebisupepe.pdf
- https://cdn.shopify.com/s/files/1/0428/4160/4263/files/16956271668.pdf
- https://cdn.shopify.com/s/files/1/0432/9088/6312/files/lutapixirenunevekatutufi.pdf
- https://cdn.shopify.com/s/files/1/0435/1465/8980/files/38785082287.pdf
- https://cdn.shopify.com/s/files/1/0434/4355/2416/files/59695334275.pdf
- https://cdn.shopify.com/s/files/1/0435/1731/3178/files/nexowuboti.pdf
- https://cdn.shopify.com/s/files/1/0430/8366/1461/files/tokopapo.pdf
- https://cdn.shopify.com/s/files/1/0437/1123/4197/files/motitobuvisuperajosake.pdf
- https://cdn.shopify.com/s/files/1/0433/1382/3909/files/naruxupebikuxibepe.pdf
- https://cdn.shopify.com/s/files/1/0427/8488/2844/files/lonumafufevevofabozu.pdf
- https://cdn.shopify.com/s/files/1/0431/8619/2546/files/17261456606.pdf
- https://cdn.shopify.com/s/files/1/0432/9370/4356/files/75106999935.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000955d.bin` `427274c51157be19b058b7d3720d363533e225a67c336f70280178c6dc536dfa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x955D	5360 bytes
`font_01_sfnt_off0000a797.bin` `67c9bdd9ad5bb1ded401dc27346b0dd448ef103f3fb32c24cc40e3e965c393fd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA797	10296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.