PDF malware analysis — malicious · e208f0187617777b

MALICIOUS

PDF

44.3 KB Created: 2020-08-22 00:48:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: eb972a3407d1d6dce7f691ccdd8a8cf7 SHA-1: 68d137de1af9211d8dce29b962278a5dc651a72f SHA-256: e208f0187617777b4a1f2ce616451bf5f47e68ebc74f1b1ec1ae13454b85d3f7

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to ttraff.com. It also exhibits a PDF link farm, with many links pointing to Shopify domains, likely for SEO manipulation to increase visibility. The document body contains a call-to-action phrase, reinforcing the lure. The primary malicious IOC is the redirector URL, which likely leads to further stages of the attack.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=cover+lagu+senorita+via+vallen
- http://files.msilaser.com/uploads/1/3/0/9/130969742/9305691.pdf
- https://cdn.shopify.com/s/files/1/0437/1975/3879/files/normalidad_y_anormalidad_en_psicologia.pdf
- https://cdn.shopify.com/s/files/1/0443/0174/6332/files/movojoxajebebilobarije.pdf
- https://cdn.shopify.com/s/files/1/0434/0157/6604/files/live_football_streaming_apk_2018.pdf
- https://cdn.shopify.com/s/files/1/0433/1359/4526/files/88590298321.pdf
- https://cdn.shopify.com/s/files/1/0434/4948/3420/files/stats_data_and_models_4th_edition.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vekedexixerokasadoboma.pdf
- https://cdn.shopify.com/s/files/1/0436/8151/3625/files/mebigazakejit.pdf
- https://cdn.shopify.com/s/files/1/0429/5216/3482/files/najugev.pdf
- https://cdn.shopify.com/s/files/1/0433/8712/5927/files/45434320570.pdf
- https://cdn.shopify.com/s/files/1/0430/6839/1577/files/tensorflow_version_check.pdf
- https://cdn.shopify.com/s/files/1/0433/7506/7297/files/20004823297.pdf
- https://cdn.shopify.com/s/files/1/0436/4327/3369/files/47158762233.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005b14.bin` `d7f9c358e15e399f47efe8cb7589bd6af1c50887a6a98e21a3bf7758a1856385`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5B14	4816 bytes
`font_01_sfnt_off00006b84.bin` `a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B84	1800 bytes
`font_02_sfnt_off00007411.bin` `a6e139a2ab6487a359f1d9e96b5e6e91e11a811d90b2721143c09f627c6c77fa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7411	15012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.