PDF malware analysis — malicious · ce69f20e4a681e52

MALICIOUS

PDF

38.7 KB Created: 2020-09-01 10:46:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8860c1e91dab6e7e833ead36a89b1038 SHA-1: 725577f5c07068931b91bc34da00449bb7b26b08 SHA-256: ce69f20e4a681e5201301b4ba851a17d6333ed73a3126c0ee02b2253103440c0

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=finding+equations+of+lines+worksheet+tes'. This URL is likely used to redirect the user to a malicious site. The document body, though heavily obfuscated, contains references to the same URL and other PDF links, suggesting a link farm or redirection strategy. The file was generated by wkhtmltopdf, a tool often abused for creating malicious documents.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=finding+equations+of+lines+worksheet+tes
- https://static.usrfiles.com/ugd/696b8a_584acb11645a40adba1fb07e677ec37f.pdf
- https://static.usrfiles.com/ugd/b8c837_2762b56172ef4ef8bb40c865dfa9f22b.pdf
- https://static.usrfiles.com/ugd/3e9e83_cda9bbb803f54639aa3f526f90265bb8.pdf
- https://static.usrfiles.com/ugd/b8c837_2eb17ebcb54d4dd4b98a7b1c9242065a.pdf
- https://static.usrfiles.com/ugd/b8c837_6e8fa62f09e64e5fa9f5eec1e7274cb6.pdf
- https://cdn.shopify.com/s/files/1/0435/1305/3343/files/query_google_sheets_no_header.pdf
- https://cdn.shopify.com/s/files/1/0429/2254/1209/files/deniwame.pdf
- https://cdn.shopify.com/s/files/1/0440/1584/5541/files/12698060937.pdf
- https://cdn.shopify.com/s/files/1/0432/1515/9458/files/labijikujimolepu.pdf
- https://cdn.shopify.com/s/files/1/0429/5265/5002/files/laxaruzututa.pdf
- https://cdn.shopify.com/s/files/1/0438/9748/7512/files/negative_questions_exercises.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/64541570927.pdf
- https://cdn.shopify.com/s/files/1/0433/9574/3907/files/papoboragutux.pdf
- https://cdn.shopify.com/s/files/1/0436/2698/7680/files/juremem.pdf
- https://cdn.shopify.com/s/files/1/0431/3654/9018/files/teluzox.pdf
- https://cdn.shopify.com/s/files/1/0440/4215/8245/files/49328253076.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004ba2.bin` `31c8e44963054ee23873d069b49af249bbf2a4f57737ef17b1a9c24c894557b3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4BA2	5288 bytes
`font_01_sfnt_off00005da0.bin` `1f28a62dab2c6cd3b0fd6f4049d536d0373e567c0820d262eceaae62ea1bf390`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5DA0	10020 bytes
`font_02_sfnt_off00007fd3.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7FD3	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.