PDF malware analysis — malicious · c6e306d8c6d0d128

MALICIOUS

PDF

107.5 KB Created: 2020-08-15 05:55:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 94f2519b23695c7e2653912528ec3375 SHA-1: 1e4a05bd4e60344037ca5ea1a4979b8e1cdd058f SHA-256: c6e306d8c6d0d1282bfe85945e7aa8599282ba92b0779055d5693d9e921827e0

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, a technique often used for SEO poisoning to improve search engine rankings. One of the primary links, 'https://ttraff.cc/pify?keyword=ascii+code+chart+pdf', is identified as a malicious redirector. This suggests the document's purpose is to redirect users to malicious infrastructure under the guise of providing an ASCII code chart.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=ascii+code+chart+pdf
- http://files.mostlyuppermidwestairchecks.com/uploads/1/3/2/7/132740501/787a436c.pdf
- http://files.leasparlor.com/uploads/1/3/1/0/131070674/tegapor.pdf
- http://files.sustainable-movement.com/uploads/1/3/0/7/130739084/9359756.pdf
- https://cdn.shopify.com/s/files/1/0428/6146/1670/files/guvivadadepivava.pdf
- https://cdn.shopify.com/s/files/1/0431/5725/8401/files/jikomajijafizo.pdf
- https://cdn.shopify.com/s/files/1/0437/2247/3624/files/81965585742.pdf
- https://cdn.shopify.com/s/files/1/0433/7316/6744/files/dulazurolif.pdf
- https://cdn.shopify.com/s/files/1/0432/3731/0626/files/napinekojabi.pdf
- https://cdn.shopify.com/s/files/1/0434/8936/2082/files/41698819012.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/66083684812.pdf
- https://cdn.shopify.com/s/files/1/0427/8029/5334/files/zeneruzanu.pdf
- https://cdn.shopify.com/s/files/1/0432/0657/4238/files/gta5_ps3_cheats.pdf
- https://cdn.shopify.com/s/files/1/0431/7731/2405/files/fabilun.pdf
- https://cdn.shopify.com/s/files/1/0429/1756/0473/files/21422979405.pdf
- https://cdn.shopify.com/s/files/1/0431/0505/8976/files/lojagojuvokawotivenewofu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00012f63.bin` `81dd539e790c2c1fadcf1402e050cc36ccfb8c1b49b43cdd9cb60f8242444f28`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12F63	5200 bytes
`font_01_sfnt_off00014107.bin` `19e88e7aaf4c760e51d0bc63789bdf67ec1730f11dd7518495f5afaf50e0115c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14107	14064 bytes
`font_02_sfnt_off00016ee3.bin` `9b3f78461cd92b54123a7ccbd9c01482e975fa0784255d970b97fcf231cc3d16`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16EE3	16200 bytes
`font_03_sfnt_off0001841b.bin` `a1721dac5141efbdb2218075ceb166cf265b78c2199db072f823285ecc5642cf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1841B	13500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.