PDF malware analysis — malicious · d030935c31981193

MALICIOUS

PDF

47.0 KB Created: 2020-08-22 10:33:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 61744fa5f6639ebf32cf9cc722915ce1 SHA-1: d2cd69a2f45c03a339fd179ce04fc714e9da5d8f SHA-256: d030935c31981193ec32a1b32f458282ccd5272298dea99fd8106d1311bfd564

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one critical heuristic identifying it as a malicious redirector. The primary malicious URL, 'https://ttraff.cc/pify?keyword=anime+slayer+android+2.+3.+6', is likely used to redirect users to a harmful destination. The document body, though heavily obfuscated, contains references to URLs, further supporting the malicious redirector pattern. The presence of a link farm suggests an attempt to manipulate search engine results or distribute malicious links broadly.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=anime+slayer+android+2.+3.+6
- http://pajag.brygeog.net/uploads/1/3/1/3/131398404/34a8a.pdf
- https://cdn.shopify.com/s/files/1/0436/9504/6811/files/50266226928.pdf
- https://cdn.shopify.com/s/files/1/0448/3108/0605/files/91898433678.pdf
- https://cdn.shopify.com/s/files/1/0438/8365/9419/files/canadian_immigration_skilled_worker_application_form.pdf
- https://cdn.shopify.com/s/files/1/0428/2669/4822/files/cissp_practice_exams_fifth_edition.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/70686619693.pdf
- https://cdn.shopify.com/s/files/1/0435/5240/7704/files/st_catherines_school_uniform.pdf
- https://cdn.shopify.com/s/files/1/0435/3271/4139/files/xagibaxumuv.pdf
- https://cdn.shopify.com/s/files/1/0431/0768/0405/files/zipovizil.pdf
- https://cdn.shopify.com/s/files/1/0432/0477/2000/files/61984270928.pdf
- https://cdn.shopify.com/s/files/1/0431/4179/1900/files/38010044915.pdf
- https://cdn.shopify.com/s/files/1/0431/7950/7872/files/sql_injection_password_form.pdf
- https://cdn.shopify.com/s/files/1/0433/7614/8638/files/fuvudutu.pdf
- https://cdn.shopify.com/s/files/1/0438/3404/8669/files/zuruz.pdf
- https://cdn.shopify.com/s/files/1/0440/3871/7605/files/76229195981.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_005_off00008241.bin` `afcb140b8a66b52403b64531ccf6fc330bedfc0c487e0fe349ff4d258538288e`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x8241	24776 bytes
`font_00_sfnt_off00004dd1.bin` `59073381471659eb0b3097bfead3b58a5e080822db83cb5da0e6ee3c9bee208b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4DD1	5544 bytes
`font_01_sfnt_off0000608d.bin` `ce31e35aa58caa2dbfd9f3a09eac0fd3d737a54fc2216caa48aad93c8fb43391`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x608D	9784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.