PDF malware analysis — malicious · cf493f8bcd061dca

MALICIOUS

PDF

112.0 KB Created: 2020-08-10 13:27:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c91536963fb7856e20b084b6b544b057 SHA-1: b0ce66385e96bf2a173752beebb3c3e1be66d0be SHA-256: cf493f8bcd061dca9e8da6e3f4ef80d9b3344f42e96f27a235e95aa054304acd

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=bowflex+blaze+exercises+pdf'. Another critical heuristic identified a PDF link farm, suggesting a broad distribution effort. The document body, though heavily obfuscated, contains the lure text 'Bowflex blaze exercises pdf' and the malicious URL, indicating an attempt to trick users into clicking the link for a potential scam or phishing attempt.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=bowflex+blaze+exercises+pdf
- http://files.oneswaggent.com/uploads/1/3/1/4/131414134/dopadelawo-miforawitovudo.pdf
- http://files.paradigmcollision.com/uploads/1/3/0/7/130738765/e77ffbda1660.pdf
- http://files.lkhair.co.uk/uploads/1/3/1/0/131070166/1971664.pdf
- http://files.danielvm.com/uploads/1/3/1/8/131856987/7840418.pdf
- http://files.robheaslip.com/uploads/1/3/2/6/132682892/rufasasugaxa-timulajozi.pdf
- https://cdn.shopify.com/s/files/1/0431/9716/9824/files/pikasorogida.pdf
- https://cdn.shopify.com/s/files/1/0434/8107/1782/files/2839763067.pdf
- https://cdn.shopify.com/s/files/1/0430/4191/5042/files/16602114840.pdf
- https://cdn.shopify.com/s/files/1/0431/3917/0466/files/29660761828.pdf
- https://cdn.shopify.com/s/files/1/0433/1274/2550/files/40911607660.pdf
- https://cdn.shopify.com/s/files/1/0437/2440/6933/files/analytical_chemistry_questions.pdf
- https://cdn.shopify.com/s/files/1/0432/2626/7806/files/16159545651.pdf
- https://cdn.shopify.com/s/files/1/0433/7260/9686/files/pepaxibilitiwopufivom.pdf
- https://cdn.shopify.com/s/files/1/0433/0999/0043/files/shoulder_impingement_syndrome_treatment.pdf
- https://cdn.shopify.com/s/files/1/0434/7881/0789/files/79030981558.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000176e7.bin` `d6ea62ce3af31f320def116c89c3305099af1f37cbb9cd8fa4f5e2ffe15ec9c8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x176E7	5548 bytes
`font_01_sfnt_off000189f3.bin` `99158c2f24c5cbdb8ceef532ccf7aa6057e285f7cfb07ee155afb13bbc6eb8c6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x189F3	11988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.