PDF malware analysis — malicious · c8ae8ace496c22ed

MALICIOUS

PDF

47.3 KB Created: 2020-08-07 09:11:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4a8e6c4bbda1603ad1f6f5f9fca9dac1 SHA-1: 76128c21b25136c3d05b644dab37f9033fed9886 SHA-256: c8ae8ace496c22ed675288e2f815d26072597dadd69c411de973ea6495c8ab73

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The primary malicious URL identified is https://ttraff.com/pify?keyword=assamese+news+paper+download+pdf, which likely serves as a lure to download further malicious content. The document body, though heavily obfuscated, contains references to downloading PDFs, aligning with the observed link farm behavior.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=assamese+news+paper+download+pdf
- http://kajenub.castlesjewelry-gifts.com/uploads/1/3/1/4/131453133/4474474.pdf
- http://files.cantonbeachpaddleshack.com.au/uploads/1/3/1/1/131163943/zedujogikofa.pdf
- http://files.vawvtrampoline.com/uploads/1/3/0/7/130739371/kumubuzavonu.pdf
- https://cdn.shopify.com/s/files/1/0429/5681/6540/files/momela.pdf
- https://cdn.shopify.com/s/files/1/0433/1605/2123/files/wanudusuxezonukejuduf.pdf
- https://cdn.shopify.com/s/files/1/0432/5294/0968/files/dilavinovanigabopat.pdf
- https://cdn.shopify.com/s/files/1/0436/8711/6965/files/nifirudufebitemafirafux.pdf
- https://cdn.shopify.com/s/files/1/0437/9800/3874/files/97664606423.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/12509012650.pdf
- https://cdn.shopify.com/s/files/1/0435/1187/3695/files/disozasubovabuvotazoke.pdf
- https://cdn.shopify.com/s/files/1/0427/7541/2902/files/navy_blue_jacket_manual_online.pdf
- https://cdn.shopify.com/s/files/1/0431/8950/2110/files/kumikukozafun.pdf
- https://cdn.shopify.com/s/files/1/0437/0785/9096/files/minecraft_keep_inventory.pdf
- https://cdn.shopify.com/s/files/1/0440/5932/8662/files/fomenovi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005935.bin` `8f3238e5f706ab358781eed77559a5616f6aaaf2b8ec9805fa06d0af9fb5b1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5935	4928 bytes
`font_01_sfnt_off000069d6.bin` `0a7d36eb3498b6455ddb1f01f2dbc34e4b9d8862814193d1804521b0f27d2494`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x69D6	6060 bytes
`font_02_sfnt_off00007d6e.bin` `a14e0be9cdae06c62240bdb309d88813bb3dc9bdd3f65a627fd31493c0e3d1cb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D6E	10076 bytes
`font_03_sfnt_off00009fd7.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9FD7	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.