PDF malware analysis — malicious · dbf9bed39475111f

MALICIOUS

PDF

55.4 KB Created: 2020-08-31 22:30:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 61a4d763e595aa38b3d449894dae032d SHA-1: a5dc3f8483f87c10554c394f5e7c3397531cb6f8 SHA-256: dbf9bed39475111f1387fcc2659ebba98df8c6e8dca8d94feff955e8caa20771

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Phishing: Spearphishing Attachment T1200 Hardware Add-in Systems T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains a large number of embedded links, many of which point to shopify.com domains, but one critical link directs to a known malicious redirector at ttraff.com. This suggests a phishing or social engineering attack where the user is enticed to click through to a malicious site. The document body contains garbled text but includes the target URL, reinforcing the malicious intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=python+spyder+auto+format+code
- https://cdn.shopify.com/s/files/1/0432/7876/2140/files/titelami.pdf
- https://cdn.shopify.com/s/files/1/0430/5331/8298/files/46061093293.pdf
- https://cdn.shopify.com/s/files/1/0429/5000/0796/files/wow_prot_warrior_guide.pdf
- https://cdn.shopify.com/s/files/1/0428/8947/8307/files/43955436106.pdf
- https://cdn.shopify.com/s/files/1/0436/4802/4741/files/ccna_2_pretest_exam_answers.pdf
- https://cdn.shopify.com/s/files/1/0430/3667/2162/files/68735292625.pdf
- https://cdn.shopify.com/s/files/1/0434/6911/1448/files/afterglow_play_script.pdf
- https://cdn.shopify.com/s/files/1/0429/5675/1002/files/payment_of_bonus_act_1965_project.pdf
- https://cdn.shopify.com/s/files/1/0433/0507/4838/files/pogajolo.pdf
- https://static.usrfiles.com/ugd/253000_d012502133264a30a67b770fd2d607c4.pdf
- https://static.usrfiles.com/ugd/739437_00124d74451847d0908cac3db9839c2a.pdf
- https://static.usrfiles.com/ugd/b8c837_469bdc7996e2437d98cc89df968115a4.pdf
- https://static.usrfiles.com/ugd/b8c837_cf53d8e365f34b8cb2a280aba733265a.pdf
- https://static.usrfiles.com/ugd/856cea_38f9670696d5404896a9c53e0ce9dc05.pdf
- https://static.usrfiles.com/ugd/b8c837_302454ce0cdf42f5b196069a7f5d608f.pdf
- https://static.usrfiles.com/ugd/87fdc7_69ca148e211549639962c8df1e3a1c47.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000090b2.bin` `794f7f7be5156fca39800bf0e9e09f1ac29094c8fd340460156caf02f93bdc65`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x90B2	5468 bytes
`font_01_sfnt_off0000a31e.bin` `ac4b6e13d0f11b2a1ff3ea503d1faee07150964321fabe2a9a5d5dc05cb1d896`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA31E	2100 bytes
`font_02_sfnt_off0000ace7.bin` `de4120c2a702eecf6a4c863b0b1a3bb35c9f7c0cad534d95410b52ffa8dece62`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xACE7	10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.