PDF malware analysis — malicious · dca71a15954bc890

MALICIOUS

PDF

51.7 KB Created: 2020-08-12 00:40:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7b267f40c780094c366c9a5aa92025a2 SHA-1: 5f368ef9848d142542858d0b00e5f68bf0a25a3c SHA-256: dca71a15954bc890348a436f6ff2f5ea5ee9f900ac5c64cbcd9a6516bf2db455

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass of external links, including one pointing to a known malicious redirector at `ttraff.com`. The document body, though heavily obfuscated, contains text suggesting a lure for a free grammar PDF, which is then linked to the malicious redirector. This indicates a likely phishing or malware distribution attempt.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=bescherelle+grammaire+francais+pdf+gratuit
- http://fezavaxe.dickenspickins.com/uploads/1/3/1/6/131606354/salokotewadurakolol.pdf
- http://firosa.meacorsigns.com/uploads/1/3/0/7/130776445/c56fa90575.pdf
- http://rivavesox.rawsolart.com/uploads/1/3/0/8/130873995/1150659.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rinavupomun.pdf
- https://cdn.shopify.com/s/files/1/0430/9119/8112/files/agenda_2020_para_imprimir_gratis.pdf
- https://cdn.shopify.com/s/files/1/0434/2376/0536/files/minecraft_1._14._2_forge.pdf
- https://cdn.shopify.com/s/files/1/0430/9480/2593/files/loadrunner_tutorials.pdf
- https://cdn.shopify.com/s/files/1/0431/1787/1265/files/fedavukupixi.pdf
- https://cdn.shopify.com/s/files/1/0433/8502/8758/files/muzitureviribu.pdf
- https://cdn.shopify.com/s/files/1/0431/5847/0813/files/rovisoruxe.pdf
- https://cdn.shopify.com/s/files/1/0428/7728/8611/files/gatusubiwiwiru.pdf
- https://cdn.shopify.com/s/files/1/0432/8567/6188/files/25238369103.pdf
- https://cdn.shopify.com/s/files/1/0432/3957/1616/files/32887105479.pdf
- https://cdn.shopify.com/s/files/1/0427/9477/8791/files/35775729279.pdf
- https://cdn.shopify.com/s/files/1/0434/3031/4133/files/lakezukusoled.pdf
- https://cdn.shopify.com/s/files/1/0437/7303/4657/files/restaurant_reservation_form.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064c9.bin` `f32335d6b1f7e4f05379878bb7fe4440c68c2910b4506070f11c567d217e80dd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64C9	5388 bytes
`font_01_sfnt_off000076f2.bin` `928b68d912ed4f7d660083b3052e54beaefc3ff3b6b130370f6f440caca2e84e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76F2	11640 bytes
`font_02_sfnt_off00009c17.bin` `bcfecb9fde4b74e4a2b692e15caf305b2988a1cfe4c6386614002e38d35feb86`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9C17	16168 bytes
`font_03_sfnt_off0000b11d.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB11D	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.