PDF malware analysis — malicious · d3fae4ca7efc9d42

MALICIOUS

PDF

62.4 KB Created: 2020-08-01 06:09:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4701e4934aa22486bbb4bc6a7106f4cb SHA-1: db621f77ff68f2b64f0068b984346e4afc9d15c7 SHA-256: d3fae4ca7efc9d425da5707dabd00796f00c1bb7aba81fd30a86e95f289c9d05

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, many hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the malicious URL, suggesting an attempt to lure the user to a harmful site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=display+inline-+block
- http://files.medicalaestheticsct.com/uploads/1/3/0/7/130739595/puxegap.pdf
- http://files.segarsgroup.com/uploads/1/3/0/7/130739974/jerimesatafe_vibijaso_kabikezozukisal_koriruwagoxuki.pdf
- http://files.japanesephilately.com/uploads/1/3/2/6/132695734/jenezutufo_lexiga_sabaxidado_manovus.pdf
- http://files.moredoorclassics.com/uploads/1/3/1/4/131453188/4191449.pdf
- https://cdn.shopify.com/s/files/1/0431/9812/0094/files/44004704146.pdf
- https://cdn.shopify.com/s/files/1/0431/8884/6753/files/xogoratawab.pdf
- https://cdn.shopify.com/s/files/1/0432/5919/9650/files/rilugupog.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/64830269039.pdf
- https://cdn.shopify.com/s/files/1/0433/9305/6933/files/xarizovagudakaxid.pdf
- https://cdn.shopify.com/s/files/1/0432/4638/7362/files/tedesowiruforopubuv.pdf
- https://cdn.shopify.com/s/files/1/0431/5080/3099/files/kirisizavefi.pdf
- https://cdn.shopify.com/s/files/1/0430/4722/3458/files/59345230067.pdf
- https://cdn.shopify.com/s/files/1/0432/0536/1821/files/40792207349.pdf
- https://cdn.shopify.com/s/files/1/0437/4937/6149/files/kugekilaleragaputoji.pdf
- https://cdn.shopify.com/s/files/1/0437/2958/4282/files/15827147197.pdf
- https://cdn.shopify.com/s/files/1/0438/2441/4882/files/binikuduvadakup.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_006_off0000cf78.bin` `62fcd854aae7620f7a80e60a581426712853b29d4a30b9fcbdd652ba72119780`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xCF78	18720 bytes
`font_00_sfnt_off00009157.bin` `7a7e484ba1272a907531990c8378e3318fce430e12f2cae50ef23e9b7940b94d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9157	5168 bytes
`font_01_sfnt_off0000a312.bin` `e9450b12a688ec2721cc3a40c13b872154772d1d4e24dd7da920cb25d11ceeda`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA312	13988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.