PDF malware analysis — malicious · de2b0c9df1525729

MALICIOUS

PDF

40.1 KB Created: 2020-08-08 23:07:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 43ea88855fbd8f173dcd9cd2d9989576 SHA-1: ced01eb8b72edeab028e29a0f09faf7b3959fc40 SHA-256: de2b0c9df15257291cac0fc73bb5f19e39054dba8c2752cd8a48a2eb7de44ba5

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic indicating it links to known malicious redirector infrastructure. The document body also contains a call-to-action phrase, reinforcing the lure. The primary malicious URL identified is https://ttraff.cc/pify?keyword=adobe+reader+pro+convert+pdf+to+word, which likely leads to further malicious content. The presence of a link farm suggests an attempt to manipulate search engine results to distribute malicious PDFs.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=adobe+reader+pro+convert+pdf+to+word
- http://rodejefa.autumnsteam.com/uploads/1/3/2/6/132681556/borutozemini_zifomonuwawi_fatijajerajaf_kezepozaki.pdf
- http://files.dog-gonefancy.com/uploads/1/3/1/4/131438604/guzozuwikuj_xukeloz_pawamegan.pdf
- http://files.naturesbountyfarm.com/uploads/1/3/1/3/131398091/2167637.pdf
- https://cdn.shopify.com/s/files/1/0432/7935/1976/files/5790757932.pdf
- https://cdn.shopify.com/s/files/1/0431/3461/5706/files/11486257049.pdf
- https://cdn.shopify.com/s/files/1/0434/8359/4909/files/mow_my_lawn_2_script.pdf
- https://cdn.shopify.com/s/files/1/0437/0631/9001/files/antitussive_agents.pdf
- https://cdn.shopify.com/s/files/1/0431/9304/1053/files/vawebulumemotetafiwepab.pdf
- https://cdn.shopify.com/s/files/1/0430/6645/8266/files/54035076476.pdf
- https://cdn.shopify.com/s/files/1/0437/5393/0904/files/canela_de_velho_bula.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/16494210232.pdf
- https://cdn.shopify.com/s/files/1/0435/5558/6203/files/793118620.pdf
- https://cdn.shopify.com/s/files/1/0431/7901/6360/files/30685048189.pdf
- https://cdn.shopify.com/s/files/1/0440/6539/0757/files/69061251575.pdf
- https://cdn.shopify.com/s/files/1/0437/8230/7989/files/1st_grade_phonics_book.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005f42.bin` `141b97b93e39b009c726680e4148b461019636b92b1adc27b986dfb7da557e37`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F42	5220 bytes
`font_01_sfnt_off00007129.bin` `6a64d6bdaa9df88232314c335d85c8e98e764ea766b23be0d5b5204701ba4fb9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7129	10084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.