PDF malware analysis — malicious · d20547b4becbde6c

MALICIOUS

PDF

47.0 KB Created: 2020-08-20 19:17:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8ef9166c5b06ad9c309cf1234e9481dd SHA-1: d50e45bb9168b4f756a2474df95505c354a54159 SHA-256: d20547b4becbde6cfee18ec880ee41e2cf2466273895797b41bd429cf802eb5a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify-hosted PDFs, forming a link farm. One critical heuristic identified a direct link to a known malicious redirector at 'ttraff.cc'. The document body, though heavily obfuscated, contains the same redirector URL. This indicates a social engineering attempt to lure users to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=chal+chaiya+chaiya+remix
- http://kapijig.phohawkphoto.com/uploads/1/3/2/7/132712207/ccc8d189580.pdf
- http://files.thehappyfits.com/uploads/1/3/1/4/131408738/nuxabutelinet.pdf
- https://cdn.shopify.com/s/files/1/0432/5523/4710/files/59622264108.pdf
- https://cdn.shopify.com/s/files/1/0437/8850/1143/files/the_allegory_of_the_cave_text.pdf
- https://cdn.shopify.com/s/files/1/0427/9622/0572/files/vefamixogesefotevaw.pdf
- https://cdn.shopify.com/s/files/1/0434/1871/4264/files/o_mio_babbino_caro_scribd.pdf
- https://cdn.shopify.com/s/files/1/0437/1123/4197/files/blank_danger_sign_template.pdf
- https://cdn.shopify.com/s/files/1/0440/3704/6422/files/jifig.pdf
- https://cdn.shopify.com/s/files/1/0429/7595/3049/files/71875837956.pdf
- https://cdn.shopify.com/s/files/1/0432/6424/5925/files/deep_and_wide_andy_stanley.pdf
- https://cdn.shopify.com/s/files/1/0439/5424/1694/files/verujopotogukovozeg.pdf
- https://cdn.shopify.com/s/files/1/0429/1405/4300/files/vanigakexiv.pdf
- https://cdn.shopify.com/s/files/1/0439/4886/7739/files/free_schedule_template_daily.pdf
- https://cdn.shopify.com/s/files/1/0430/8946/1410/files/dimozuze.pdf
- https://cdn.shopify.com/s/files/1/0429/3348/5727/files/rameziruvixudata.pdf
- https://cdn.shopify.com/s/files/1/0431/3317/3927/files/sand_blasting_process.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064e7.bin` `811664d4cb2d7a864f5651159959eb06f58df723d76f78de65ce0a8ba9f78327`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64E7	4936 bytes
`font_01_sfnt_off00007594.bin` `8cb7fccf2422d4426d4e8ecd4273fdf8e236e585be410dd124a2b7bd849e8dab`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7594	12928 bytes
`font_02_sfnt_off00009f88.bin` `01c1e51170b9b6cbe98d6a3fae8b4d74773ea40915e8ab5f1d51605577c611d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9F88	4000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.