PDF malware analysis — malicious · d0f6b5635dab0d2f

MALICIOUS

PDF

52.6 KB Created: 2020-08-02 14:14:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8457e0576124765319b6f425fcc06d3c SHA-1: 7dea33e00ec2d4238ca07b630043e48919b21743 SHA-256: d0f6b5635dab0d2f0e3f05a143a8194074f94174bf65bf4a68c1bb2b70f0f2dc

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF SEO link farm, embedding numerous external links, with the primary one being 'cdn.shopify.com/s/files/1/0433/9643/2021/files/dajoxuvobi.pdf'. This suggests an attempt to lure users to malicious infrastructure through a deceptive link farm.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=intellij+push+to+github
- http://files.daisypetfood.com/uploads/1/3/1/4/131409621/84d4a5b74e6a5.pdf
- http://files.gooddayhandmade.com/uploads/1/3/2/7/132712514/ff423db7498e6a.pdf
- http://files.amandabeekhuizen.com/uploads/1/3/2/6/132683000/dikezigitos.pdf
- http://files.junesablandesigns.com/uploads/1/3/2/6/132680890/gasunonez.pdf
- http://files.thegreatdivepodcast.com/uploads/1/3/2/6/132681156/julinawotoze.pdf
- https://cdn.shopify.com/s/files/1/0433/9643/2021/files/dajoxuvobi.pdf
- https://cdn.shopify.com/s/files/1/0437/3640/0037/files/jurutesowenumegaz.pdf
- https://cdn.shopify.com/s/files/1/0428/3629/5836/files/gamulopabawiridadozi.pdf
- https://cdn.shopify.com/s/files/1/0429/8014/7359/files/gutarobigaza.pdf
- https://cdn.shopify.com/s/files/1/0429/9368/0547/files/49100656557.pdf
- https://cdn.shopify.com/s/files/1/0432/9386/8187/files/create_bootable_usb_mac.pdf
- https://cdn.shopify.com/s/files/1/0435/1731/3178/files/95974766869.pdf
- https://cdn.shopify.com/s/files/1/0428/2207/4534/files/nufofosapilakunemurezer.pdf
- https://cdn.shopify.com/s/files/1/0428/7240/6179/files/47982572849.pdf
- https://cdn.shopify.com/s/files/1/0438/5298/8566/files/gelamolafusozufuxesam.pdf
- https://cdn.shopify.com/s/files/1/0427/8432/5798/files/gazizonobuxiwozugemaji.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000795f.bin` `644035f619bf1ee4b032937514eee9765f2b9825372c914a25a63e7ab7ab64e2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x795F	4928 bytes
`font_01_sfnt_off00008a27.bin` `ad5ec62bcc619a5d7d10f824c1f4fb140a9fd93baeee2d93b61a22fc4fa37453`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8A27	11052 bytes
`font_02_sfnt_off0000afd6.bin` `0c82561ead172ac0e51412abe629b5944d5f81f469066018c017fef234fe4ba7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAFD6	16388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.