PDF malware analysis — malicious · df44fbd74f260039

MALICIOUS

PDF

68.6 KB Created: 2020-08-02 02:58:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ff31684a374d38b0d1ba04f72f5ac6d4 SHA-1: f5e5644088911a5dca29b21c53278eef1effea75 SHA-256: df44fbd74f260039c8986cf65afc7e1dde7f665ff11a702ff6625ecb0448ec78

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, forming a link farm. One critical heuristic identified a direct link to a known malicious redirector, ttraff.com, which is used to obscure the final destination. The document body content, though partially corrupted, includes the search term 'Singer sewing machine serial number g', suggesting a lure to attract clicks. The presence of multiple PDF links and a redirector indicates a likely phishing or scam campaign.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=singer+sewing+machine+serial+number+g
- http://files.lolaca.com/uploads/1/3/0/7/130738765/3048349.pdf
- http://files.stpaulpensacola.org/uploads/1/3/2/3/132303339/vebofaxosutijak.pdf
- http://files.illinois-fpsb.com/uploads/1/3/0/7/130738666/sadalofurotumus-xamax-tepamewelirof.pdf
- https://cdn.shopify.com/s/files/1/0429/0835/2679/files/guzotozitimerawanovu.pdf
- https://cdn.shopify.com/s/files/1/0428/9573/6988/files/rudopevida.pdf
- https://cdn.shopify.com/s/files/1/0437/0336/9878/files/gijafavopud.pdf
- https://cdn.shopify.com/s/files/1/0431/8747/0485/files/965551091.pdf
- https://cdn.shopify.com/s/files/1/0433/6022/3397/files/94390478919.pdf
- https://cdn.shopify.com/s/files/1/0439/1682/0635/files/nokavafovuma.pdf
- https://cdn.shopify.com/s/files/1/0428/2230/3911/files/lupifafadujulo.pdf
- https://cdn.shopify.com/s/files/1/0438/5511/8501/files/wubesasalimafusobofudege.pdf
- https://cdn.shopify.com/s/files/1/0434/6016/5797/files/puziritotesokebate.pdf
- https://cdn.shopify.com/s/files/1/0427/4274/3207/files/kufakifobabine.pdf
- https://cdn.shopify.com/s/files/1/0434/1802/6142/files/11146164346.pdf
- https://cdn.shopify.com/s/files/1/0429/8421/0583/files/67529218800.pdf
- https://cdn.shopify.com/s/files/1/0435/8874/7423/files/tenulalipejitaso.pdf
- https://cdn.shopify.com/s/files/1/0431/5820/8674/files/9647936974.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c597.bin` `a09fdf51a6cf2ce33c13fada3e427e6d8142bf583c1cff821bab629f3098de87`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC597	5548 bytes
`font_01_sfnt_off0000d85a.bin` `c79afce61b328d4943ddad13964150fa37759be7cf15276bf330fe6082dde99a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD85A	14180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.