PDF malware analysis — malicious · d8a241234f521a3e

MALICIOUS

PDF

42.9 KB Created: 2020-09-03 00:12:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 491d4f35e5a4088519a576bacd49d775 SHA-1: c4e3d2d881b715cab2dcb7439f488e7bf72fdd63 SHA-256: d8a241234f521a3e28b8f80deb1509c7ac495bc58b2f7df35a989c570ee1a02c

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one heuristic specifically identifying it as a 'PDF_MALICIOUS_REDIRECTOR_LINK' pointing to 'ttraff.com'. Another heuristic, 'PDF_SEO_LINK_FARM', indicates a large number of external PDF links, with the first identified as 'cdn.shopify.com/s/files/1/0432/5713/5257/files/42142088686.pdf'. These findings suggest the document's primary purpose is to redirect users to potentially harmful or spam-related content, likely for SEO manipulation or to host further malicious payloads.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=abyssal+demon+guide
- https://cdn.shopify.com/s/files/1/0432/5713/5257/files/42142088686.pdf
- https://cdn.shopify.com/s/files/1/0432/2990/5058/files/jarewananavifetar.pdf
- https://cdn.shopify.com/s/files/1/0428/9753/9231/files/michigan_form_5080.pdf
- https://cdn.shopify.com/s/files/1/0440/0034/6270/files/videoshow_pro_apk_premium.pdf
- https://static.usrfiles.com/ugd/7c3584_0e50666dc619452eb7c702a9b2185692.pdf
- https://static.usrfiles.com/ugd/b4a829_37345ce7b82244148576dd67321bec13.pdf
- https://static.usrfiles.com/ugd/6f9b04_0d3e114b1dfe4acbb3febe87d8bafc8e.pdf
- https://static.usrfiles.com/ugd/3b0c81_fee0e6d4551546d684e51c97a2bdef52.pdf
- https://static.usrfiles.com/ugd/c1c462_cd5fcf037e6b4e95a02fe4df5c125171.pdf
- https://static.usrfiles.com/ugd/47e66e_a480b669853a436e8b2cb202628a6a3c.pdf
- https://static.usrfiles.com/ugd/b8c837_dfc223fe45e24cfcb55b05119dac2595.pdf
- https://static.usrfiles.com/ugd/dc6899_f44a57da320649bc8b565dd63ad15f38.pdf
- https://static.usrfiles.com/ugd/3fb742_6c9b47a7e9734d2ebd2491a80bf56ee3.pdf
- https://cdn.shopify.com/s/files/1/0433/6504/0282/files/92196954198.pdf
- https://cdn.shopify.com/s/files/1/0431/2816/0417/files/37928862951.pdf
- https://cdn.shopify.com/s/files/1/0432/7958/1352/files/32465628141.pdf
- https://cdn.shopify.com/s/files/1/0432/3383/7224/files/appendiceal_mass_adalah.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006a54.bin` `5e3d06ae0781fc8ce3d6a8e490bf0f2bed1496a5cd9b098ae269f09d8886a5b9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A54	5280 bytes
`font_01_sfnt_off00007c40.bin` `79a64151f62c923af16465b4d85671363bd053a6ea101e636761504a4ffbf123`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C40	10140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.