PDF malware analysis — malicious · cbfad93f4685eb9d

MALICIOUS

PDF

72.7 KB Created: 2020-09-18 04:53:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9636fe2d88f8aab2e40d66ef37b304d2 SHA-1: 3c36de26d8bcab0fa00dac64da72521a7e1792b4 SHA-256: cbfad93f4685eb9df68c38ad26ef0cda25b8e82b3004bd5a4018e976ecc2144a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which is also present in the document body. The link leads to 'ttraff.club', a known malicious domain. The PDF also exhibits characteristics of a link farm, suggesting an attempt to generate traffic or distribute malicious content. The document body, though heavily obfuscated, contains the malicious URL.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=pokemon+blaze+black+2+type+changes
- https://cdn.shopify.com/s/files/1/0461/9380/3415/files/19295767193.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/75815848510.pdf
- https://cdn.shopify.com/s/files/1/0431/6656/4503/files/69102741230.pdf
- https://cdn.shopify.com/s/files/1/0428/9573/6988/files/verify_preorder_sequence_in_binary_search_tree.pdf
- https://cdn.shopify.com/s/files/1/0429/6900/6236/files/tujko_dekha_to.pdf
- https://cdn.shopify.com/s/files/1/0458/0130/8326/files/jadasofotinuze.pdf
- https://cdn.shopify.com/s/files/1/0454/3823/8878/files/63079910516.pdf
- https://cdn.shopify.com/s/files/1/0438/2552/8989/files/sivoxelalofibavetiw.pdf
- https://99bd9b21-4b19-4c33-a872-4e9ed51d5829.filesusr.com/ugd/906e9f_6b185f58378c4feb84ac9b85758b587c.pdf?index=true
- https://1ad18415-d1ad-47fc-aec0-fcdfc6579d4f.filesusr.com/ugd/784815_7ebac8aa240c4353b6c41b5cfad445f9.pdf?index=true
- https://c94e3eef-b9be-4d38-a47e-c594cc186583.filesusr.com/ugd/80685d_2d98b837b90a42a0acdb543b9ed9f401.pdf?index=true
- https://4e7a8afd-4049-4f78-9664-eecfb6d9eccf.filesusr.com/ugd/fe83c3_5cd7e12d74ce441e97f7211e5456ae96.pdf?index=true
- https://3e637896-be8c-4cfa-8025-6c33c1ad08dd.filesusr.com/ugd/fb5067_1d769aa924aa46178ac2faa2cd5e3a51.pdf?index=true
- https://d4b4a664-a029-4ea2-b58d-ec0fc092c9c2.filesusr.com/ugd/296484_1559a695ea5a4fd0a774537bc924d5b9.pdf?index=true
- https://848d01a7-9299-4723-bbbc-7c5b08bc5005.filesusr.com/ugd/3f2390_0c2424440bf34c2a8fd4bc5f9a9c4d2f.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000dc72.bin` `99c8b16e7a25dac68c98548afe51a30c61ad1d96e2499eb915ad5486d1923ba1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDC72	5740 bytes
`font_01_sfnt_off0000eff4.bin` `77e2d9ea65a5fce0c3a0649e84ad912a908de6abb75f22d28f9fe06e1ba5b205`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEFF4	11016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.