PDF malware analysis — malicious · c7de39191052afdb

MALICIOUS

PDF

49.7 KB Created: 2020-08-11 19:13:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6a08556982118aed71f194fb662f7bbd SHA-1: 52cf0e1d89d814c6bdaaa4e6fe247b0400c67e17 SHA-256: c7de39191052afdbf1dcf42e835c814d9f519dbb316083ab6319ca95cd70af5e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.com, disguised as a link to a pharmacology textbook. The document body also contains numerous links to other PDFs hosted on various domains, suggesting a link farm or a method to obscure the primary malicious destination. The primary malicious URL is https://ttraff.com/pify?keyword=textbook+of+clinical+pharmacology+and+therapeutics+pdf, which is likely used to redirect the user to a phishing or malware-hosting site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=textbook+of+clinical+pharmacology+and+therapeutics+pdf
- http://files.newbarracks.org/uploads/1/3/0/7/130775145/242833.pdf
- http://files.vidarthegame.com/uploads/1/3/0/8/130874023/zexokef.pdf
- http://tulizet.joshdaughtry.com/uploads/1/3/0/7/130740178/xezisil.pdf
- http://tefiz.nanny-bears.co.uk/uploads/1/3/1/4/131407668/63baccdec29a.pdf
- https://cdn.shopify.com/s/files/1/0433/6258/2693/files/29236633986.pdf
- https://cdn.shopify.com/s/files/1/0432/4392/9757/files/wades.pdf
- https://cdn.shopify.com/s/files/1/0431/6905/4886/files/18378537597.pdf
- https://cdn.shopify.com/s/files/1/0431/3333/7768/files/zevotapeza.pdf
- https://cdn.shopify.com/s/files/1/0434/8909/9938/files/82931246283.pdf
- https://cdn.shopify.com/s/files/1/0440/9756/8920/files/certificato_anamnestico_patente_di_guida.pdf
- https://cdn.shopify.com/s/files/1/0437/7119/9642/files/stihl_fse_60_manual.pdf
- https://cdn.shopify.com/s/files/1/0438/8657/5771/files/system_analysis_and_design_project_example.pdf
- https://cdn.shopify.com/s/files/1/0432/1574/9281/files/rejenitepilo.pdf
- https://cdn.shopify.com/s/files/1/0437/2935/4903/files/phytic_acid_in_foods.pdf
- https://cdn.shopify.com/s/files/1/0434/5580/7654/files/43914535054.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006947.bin` `dae2f4d90b4b522d8b8ac08ac143cd7fed6a6eb0c9188b1a3c333d2f3575f5bd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6947	5892 bytes
`font_01_sfnt_off00007d2f.bin` `ed03da5373565c387bbfb897fee92ef14a413d460ea6b4937aea249ce5f15a17`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D2F	10228 bytes
`font_02_sfnt_off0000a043.bin` `734a2bc91f073957fd56820e8367921084dc0289cf273f3b70e67241e90f341d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA043	16948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.