PDF malware analysis — malicious · e34ae4890cd558b2

MALICIOUS

PDF

39.5 KB Created: 2020-08-05 05:50:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 534f476903a2c2ada5b978ff321aaeea SHA-1: 60485f81aa9521750d59195b6f9bd72f2b694185 SHA-256: e34ae4890cd558b27f157629952404338b7e0505ae3bd075dccc2819ecc4d510

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, many pointing to shopify.com domains, but one critical link directs to a known malicious redirector at ttraff.com. This suggests a link farm or SEO poisoning technique used to disguise malicious activity. The document body is heavily obfuscated and contains the malicious URL, indicating an attempt to lure users to a malicious site under the guise of a 'free trade definition pdf'. No scripts were extracted, but the presence of the malicious URL is sufficient evidence for the attack pattern.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=free+trade+definition+pdf
- http://files.estherica.com/uploads/1/3/1/4/131482821/41e0797fd.pdf
- http://files.christinarjackson.com/uploads/1/3/1/4/131438142/sexiw_badavixed_nanepasif.pdf
- http://files.oregonstateinvestmentgroup.com/uploads/1/3/1/4/131407051/fupekivujiraxarasado.pdf
- http://files.sheilasauvageau.com/uploads/1/3/0/7/130739542/wipof_sanuren.pdf
- https://cdn.shopify.com/s/files/1/0431/2186/8960/files/44765655307.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/13977314479.pdf
- https://cdn.shopify.com/s/files/1/0438/6678/3899/files/gibugorewuvabade.pdf
- https://cdn.shopify.com/s/files/1/0431/3595/9191/files/lonulibidib.pdf
- https://cdn.shopify.com/s/files/1/0432/8043/3302/files/72017369294.pdf
- https://cdn.shopify.com/s/files/1/0431/0512/4503/files/96565502141.pdf
- https://cdn.shopify.com/s/files/1/0432/5208/9000/files/guforidanifisi.pdf
- https://cdn.shopify.com/s/files/1/0432/5530/0249/files/45450596021.pdf
- https://cdn.shopify.com/s/files/1/0429/5131/1513/files/8224691801.pdf
- https://cdn.shopify.com/s/files/1/0437/6081/2190/files/r_kelly_cookies_mp3.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rinavupomun.pdf
- https://cdn.shopify.com/s/files/1/0432/3157/6231/files/satanic_bible_full_in_malayalam.pdf
- https://cdn.shopify.com/s/files/1/0429/9941/4947/files/10115665511.pdf
- https://cdn.shopify.com/s/files/1/0429/7208/6435/files/55156576648.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005ff0.bin` `4faeb78215e216d213bb22a7f37b0a5b1dfa262ed042934e0487d7ccbeff111f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5FF0	4780 bytes
`font_01_sfnt_off00007046.bin` `37fdebab818930ed8d6a4873e331863b4eb1326cb464d1591e9d2c7610326b67`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7046	9616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.