PDF malware analysis — malicious · c9513665bcb62520

MALICIOUS

PDF

43.7 KB Created: 2020-08-21 11:13:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1570e6e64644533e7f9ad59f70c3cc86 SHA-1: f2e668d074720f064ba7921aab2d8223ba7066ed SHA-256: c9513665bcb625204b12573fd4ccbe6f79c24d2fb82dfeb5a08914df9af06df9

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF document contains embedded links that lead to a redirector service, which is a common technique for phishing and malware distribution. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms this, pointing to 'https://ttraff.com/pify?keyword=billing+statement+template+doc'. The document body and heuristics indicate a lure related to invoices or payment statements, aligning with the 'SE_INVOICE_LURE' finding. The presence of numerous external PDF links, as flagged by 'PDF_SEO_LINK_FARM', suggests an attempt to distribute content or potentially mask malicious links.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=billing+statement+template+doc
- http://files.soulshineslc.com/uploads/1/3/0/7/130776875/rebuzo.pdf
- http://kutowu.vellusandterminal.com/uploads/1/3/1/3/131383965/29c817cf5330fb.pdf
- http://kosenotu.markolalde.com/uploads/1/3/1/1/131164312/1434662da1c6.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/34530012154.pdf
- https://cdn.shopify.com/s/files/1/0431/1053/1233/files/luvitafunibubizamin.pdf
- https://cdn.shopify.com/s/files/1/0428/8770/8825/files/chikati_gadilo_chithakotudu_movie_teaser.pdf
- https://cdn.shopify.com/s/files/1/0434/3758/8646/files/fodojemotatede.pdf
- https://cdn.shopify.com/s/files/1/0431/0935/1575/files/cervical_stretching_exercises.pdf
- https://cdn.shopify.com/s/files/1/0433/9603/8812/files/1459989822.pdf
- https://cdn.shopify.com/s/files/1/0428/7430/6727/files/56182656522.pdf
- https://cdn.shopify.com/s/files/1/0447/5663/1701/files/24853140268.pdf
- https://cdn.shopify.com/s/files/1/0433/0664/7707/files/3d_scatter_plot_matlab.pdf
- https://cdn.shopify.com/s/files/1/0431/8678/2371/files/faruwilukerugedosuvemuxip.pdf
- https://cdn.shopify.com/s/files/1/0429/8866/7039/files/78115122083.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006d7a.bin` `b7a2615efa0adde88f71bfb706b7f058df570a63c37fd4f6f2d7f2b7a3668443`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6D7A	5348 bytes
`font_01_sfnt_off00007f89.bin` `8f1f05d4e9e1a24fff6157f061527ea3f8eaf66692b0af3a764c1d8e49263a1c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F89	10148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.