PDF malware analysis — malicious · d4a5b7ca5f67f0b5

MALICIOUS

PDF

37.6 KB Created: 2020-09-18 21:46:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 644b483d3f8d3935c0fd31c3532db1c1 SHA-1: 9bfabf6e1259833f30345ef431e74f821720b1d2 SHA-256: d4a5b7ca5f67f0b5f4fedd3ba1e40dfc072bf2da0afa5ff90dc4088d6b5d5cd8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a mass of external links, including a primary link to a known malicious redirector at https://ttraff.club/wix?keyword=rav+4+manual+for+sale+in+uganda. This suggests the document is designed to lure users to malicious infrastructure under the guise of providing a car manual. No scripts were extracted, but the PDF structure and embedded links are indicative of a phishing or redirection campaign.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=rav+4+manual+for+sale+in+uganda
- https://cdn.shopify.com/s/files/1/0465/1617/4998/files/24903626636.pdf
- https://cdn.shopify.com/s/files/1/0434/0393/5911/files/37228646580.pdf
- https://cdn.shopify.com/s/files/1/0432/5851/1510/files/39280101672.pdf
- https://cdn.shopify.com/s/files/1/0437/0956/3029/files/access_2007_report_sum_calculated_field.pdf
- https://8d583be4-6862-4fa4-963e-b1ae5230ebc1.filesusr.com/ugd/93c935_a36fa7c06fa749a68be44b0a32c93bd6.pdf?index=true
- https://6bdb62cb-eb72-4e77-802e-10835c8bb26c.filesusr.com/ugd/89b1bc_32bad23d8dc14cc2a07bf53ee5e5e54c.pdf?index=true
- https://9fb2526b-b465-4c00-93ce-0c7bac16a467.filesusr.com/ugd/98d639_021370b8e58d41738c365399939dbbcd.pdf?index=true
- https://3c74ee5d-4d6d-4ebd-9c69-625ea69aedb9.filesusr.com/ugd/39cb9d_50f5fd0af92e465aac58e8662d7af774.pdf?index=true
- https://794ffeaa-2844-43f5-a295-5fb02bb157ab.filesusr.com/ugd/6f7357_2a7e997e20b240279e64c9d497908019.pdf?index=true
- https://cdn.shopify.com/s/files/1/0432/7522/3200/files/outlook_express_free.pdf
- https://cdn.shopify.com/s/files/1/0440/7833/4117/files/towetojipujoz.pdf
- https://cdn.shopify.com/s/files/1/0428/6355/8815/files/bagumamokumile.pdf
- https://cdn.shopify.com/s/files/1/0432/2207/3506/files/7623721115.pdf
- https://cdn.shopify.com/s/files/1/0431/4500/3169/files/tolafetazit.pdf
- https://cdn.shopify.com/s/files/1/0433/0356/7515/files/alphabet_letters_printable_worksheets.pdf
- https://cdn.shopify.com/s/files/1/0434/8909/9938/files/67708284583.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000559c.bin` `a44b5a5db3815852339e3b4d6aee4fb6a5022575d02817cb647f850be5e7526e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x559C	5384 bytes
`font_01_sfnt_off000067e5.bin` `3d5d251e90e99754d307660dd4ba43dd024ef1a0d4fa14a40748b2a57e048e53`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x67E5	9860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.