PDF malware analysis — malicious · e324d6c991a0b0e2

MALICIOUS

PDF

88.8 KB Created: 2020-07-30 17:12:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3c34acd084c409724a9b8dc7f8e0b688 SHA-1: 6f0b80a43abe55d547623cdb68a8a6c00ce0da49 SHA-256: e324d6c991a0b0e243726e7c1fcfecf0b7183ceb6df8145988c16f80e1cb0392

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple embedded links, with one identified as a malicious redirector pointing to 'ttraff.com'. The document also exhibits characteristics of a link farm, suggesting an attempt to lure users to external, potentially malicious, websites. The presence of numerous Shopify-hosted PDF links further indicates a broad distribution strategy. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=analog%25C3%25ADas+verbales+pdf
- http://files.heallreaf.com/uploads/1/3/0/9/130969751/2146859.pdf
- http://files.wingspan-wellness.com/uploads/1/3/1/4/131406717/6bc09.pdf
- http://files.farstfoundation.com/uploads/1/3/1/8/131856131/poxobulole.pdf
- http://files.jewelconsulting.net/uploads/1/3/0/8/130815009/f9f27c8b0d.pdf
- https://cdn.shopify.com/s/files/1/0433/6418/8312/files/borinozirog.pdf
- https://cdn.shopify.com/s/files/1/0428/1666/7815/files/83746785216.pdf
- https://cdn.shopify.com/s/files/1/0435/4228/2394/files/nonej.pdf
- https://cdn.shopify.com/s/files/1/0434/2477/6354/files/82218931380.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lofolevunukexus.pdf
- https://cdn.shopify.com/s/files/1/0437/5642/1278/files/filisad.pdf
- https://cdn.shopify.com/s/files/1/0433/1828/0357/files/85397334206.pdf
- https://cdn.shopify.com/s/files/1/0432/5185/9616/files/mawisugubelabilonuvezu.pdf
- https://cdn.shopify.com/s/files/1/0433/4904/9499/files/20405779605.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/73930450062.pdf
- https://cdn.shopify.com/s/files/1/0439/1128/2840/files/48719103871.pdf
- https://cdn.shopify.com/s/files/1/0431/9471/2228/files/rivopopusafuw.pdf
- https://cdn.shopify.com/s/files/1/0432/3852/3047/files/28496742734.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_008_off00012ce3.bin` `d70d8b5ae7caccdffba53f37ba6cf8753c834a00aa89d4be5c10109e09803563`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x12CE3	22224 bytes
`font_00_sfnt_off0000f1e2.bin` `61076dbb53ea20c8f68a7949d0c677d43ccb02d658048974dc5e647009d2e0a6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF1E2	5112 bytes
`font_01_sfnt_off00010351.bin` `0cac9dfc4c76cbe8e176bf76186357927de928c7669b7594321cd7d924a6568e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10351	12860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.