PDF malware analysis — malicious · cd9dd1c1c7c5a24e

MALICIOUS

PDF

41.4 KB Created: 2020-08-30 03:41:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5cedb6d5736f00a587a9fbf1dd84fa2f SHA-1: 12a03f45b49b9229050df5f9d43c9fd45f590303 SHA-256: cd9dd1c1c7c5a24e305a7896e76df8e5548d26eef8a7b190fa7fa603f222df52

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, with a critical heuristic identifying a malicious redirector at https://ttraff.com/wix. The document body, though heavily obfuscated, contains text related to 'the space between us full movie free', suggesting a lure to attract users to click the malicious link. The presence of numerous Shopify links, while many are benign, contributes to a link farm strategy. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=the+space+between+us+full+movie+free
- https://cdn.shopify.com/s/files/1/0434/4309/3660/files/evangelhos_apcrifos_download.pdf
- https://cdn.shopify.com/s/files/1/0431/0184/7713/files/altronic_cpu_95.pdf
- https://cdn.shopify.com/s/files/1/0438/5583/9392/files/85889593805.pdf
- https://cdn.shopify.com/s/files/1/0429/7064/4631/files/86907820644.pdf
- https://cdn.shopify.com/s/files/1/0441/1876/9816/files/activesheet._listobjects._add_dynamic_range.pdf
- https://cdn.shopify.com/s/files/1/0430/2739/8807/files/epidemiologa_analtica.pdf
- https://cdn.shopify.com/s/files/1/0431/4251/2797/files/46785217507.pdf
- https://cdn.shopify.com/s/files/1/0431/8828/9694/files/34093347132.pdf
- https://static.usrfiles.com/ugd/39cb9d_bf052a1fb6824ed59ed4a50e84392230.pdf
- https://static.usrfiles.com/ugd/b8c837_0a498d95f1c549b0a84515fce544a631.pdf
- https://cdn.shopify.com/s/files/1/0460/4008/8740/files/preventive_maintenance_checklist_format.pdf
- https://cdn.shopify.com/s/files/1/0436/9760/2713/files/used_motorhomes_parts.pdf
- https://cdn.shopify.com/s/files/1/0448/4818/5501/files/81750476255.pdf
- https://cdn.shopify.com/s/files/1/0433/5229/3541/files/kagerou_theme_overlay.pdf
- https://cdn.shopify.com/s/files/1/0439/3569/5016/files/cambridge_practice_test_for_pet.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000551a.bin` `c531edd1028e04f4a42cc58a2bb9f10bb371bb22f164447aebedb3f2205e2498`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x551A	5376 bytes
`font_01_sfnt_off00006743.bin` `95443cb2410f89f823f80e37b547e9b4a892c40bebdad2a6efc4374d693f4fbd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6743	10288 bytes
`font_02_sfnt_off00008aab.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8AAB	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.