PDF malware analysis — malicious · d4db2a1c80885a1a

MALICIOUS

PDF

63.9 KB Created: 2020-09-01 03:46:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 577bbe03c6ba1d79612b74df2cab7c32 SHA-1: 4f5d15225c095b26597580b2cc0fd7f6ecd50ca3 SHA-256: d4db2a1c80885a1ad21f13b18f30e9f9418c4a56d841e037e0ad1ba588eae793

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which is also present in the document body as a lure for 'Annual return of gst form 9'. The link leads to `https://ttraff.cc/wix?keyword=annual+return+of+gst+form+9`, which is a known malicious redirector. The PDF also contains a large number of external links, many of which point to Shopify, suggesting a link farm for SEO poisoning or to host further malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=annual+return+of+gst+form+9
- https://cdn.shopify.com/s/files/1/0435/3160/0031/files/82419428817.pdf
- https://cdn.shopify.com/s/files/1/0429/8987/9445/files/41722429979.pdf
- https://cdn.shopify.com/s/files/1/0434/0930/9848/files/electrocardiogram_app_for_android.pdf
- https://cdn.shopify.com/s/files/1/0440/3331/0870/files/duwuku.pdf
- https://static.usrfiles.com/ugd/b8c837_d05ce806e25141aa92bb4a89de07d8ea.pdf
- https://static.usrfiles.com/ugd/f63f29_429fa0da7b5f423e83263506a538dfc6.pdf
- https://static.usrfiles.com/ugd/9b5f63_4e293103e1514f609c639de4b404b492.pdf
- https://static.usrfiles.com/ugd/b8c837_5f358ec0d68e483597dc431956c309c9.pdf
- https://static.usrfiles.com/ugd/ee9d3f_40ce6c984834420a8aabc49d67540abd.pdf
- https://static.usrfiles.com/ugd/e5cbe5_157ffb9ddfad46b6a1ac032b001174e0.pdf
- https://static.usrfiles.com/ugd/d2cc1f_2e8bf17b7cb2422faf3726543587c572.pdf
- https://static.usrfiles.com/ugd/b8c837_20cd28342c4c4789b321a1bce7b0533a.pdf
- https://static.usrfiles.com/ugd/b8c837_b82d6f5d1dbb47118c68a5ff1168ab42.pdf
- https://static.usrfiles.com/ugd/3826db_ab000aa4cb2f4370a77053cdfa6095fe.pdf
- https://static.usrfiles.com/ugd/0779a3_18468ce5258b41bb9ad0b8cdbe3e8907.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a740.bin` `7b6979d11ce8248f8049e0ec4cc3342a383aa4d075c17d56045da5811af32a50`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA740	5232 bytes
`font_01_sfnt_off0000b8fc.bin` `86f68a280a5b2a1c9009da551e3a3e665ac5231426c78dbf6fb5424c5da2ecac`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB8FC	10588 bytes
`font_02_sfnt_off0000dd1c.bin` `e296a61d2d303e35be9e1a35631556663d2780498efa7e8f3867bf557f172fe6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDD1C	16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.