PDF malware analysis — malicious · e1c9693eed2c2fde

MALICIOUS

PDF

47.7 KB Created: 2020-08-08 09:11:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 83356ab79e536fb86e56dddab0628ff6 SHA-1: 9464a912d228150e9ba43a6421eb97d71e2af59a SHA-256: e1c9693eed2c2fde1c75796580193ac2797acf64ea0134041c640a520e508298

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. The document body also contains this URL, disguised as a manual for Xiaomi airdots. This indicates a social engineering lure to trick users into visiting a malicious site. The PDF also contains a large number of external links, many hosted on Shopify, suggesting a link farm for SEO manipulation to distribute the malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=xiaomi+airdots+manual+pdf+portugues
- http://files.impeccableyou.co.uk/uploads/1/3/1/3/131379706/novogunigaw.pdf
- http://zepar.drydesign.co.uk/uploads/1/3/1/3/131398560/a9144a0.pdf
- http://files.mri-auto-diagnostics.com/uploads/1/3/0/7/130775475/6e766ee49.pdf
- http://wifemado.destinationsint.com/uploads/1/3/1/4/131452883/tofad-pedutukodusabep-riveda.pdf
- https://cdn.shopify.com/s/files/1/0435/8209/5517/files/tulelinal.pdf
- https://cdn.shopify.com/s/files/1/0433/5799/5160/files/bogixewuvigurenelozugit.pdf
- https://cdn.shopify.com/s/files/1/0436/0703/1966/files/another_irish_drinking_song_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0432/7247/0686/files/bovigozumapin.pdf
- https://cdn.shopify.com/s/files/1/0435/4693/5447/files/56478657443.pdf
- https://cdn.shopify.com/s/files/1/0434/2136/8472/files/69688517949.pdf
- https://cdn.shopify.com/s/files/1/0429/5504/7068/files/tadakipafikerazomopamekus.pdf
- https://cdn.shopify.com/s/files/1/0438/8922/9979/files/xiduxalisajukutezalafi.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/kawovuk.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kubogofire.pdf
- https://cdn.shopify.com/s/files/1/0427/9674/4871/files/poduladezetag.pdf
- https://cdn.shopify.com/s/files/1/0429/4112/0679/files/minecraft_gta_mode.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000066a0.bin` `0901cbace2d5895fc87d1328d319c4b7a1708314fbad56bff64f55ec3d2138b4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x66A0	5336 bytes
`font_01_sfnt_off000078b1.bin` `f65df76a2596f0d2eb5bc024f306233aae421b994101365242b611112d6a3331`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78B1	10420 bytes
`font_02_sfnt_off00009c05.bin` `532315dfdc59b350d447ad91845dd8cc72a836e684f536ab9a4305dc5b53fb8e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9C05	16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.