PDF malware analysis — malicious · e3528e53e55cf6de

MALICIOUS

PDF

45.2 KB Created: 2020-08-02 12:42:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 76479d8f87961bc24c59dfe27016117b SHA-1: 1f9496a04c45ca4a8142dd6459f9a94bb20aa7de SHA-256: e3528e53e55cf6de2c01563f565ad5c001656535e032e5aaa9722e566117a18f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/pify?keyword=blaze+of+glory+lyrics'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many pointing to Shopify domains. The document body, though heavily obfuscated, contains the same redirector URL and a reference to 'Blaze of glory lyrics', suggesting a lure to entice clicks. The file's purpose appears to be directing users to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=blaze+of+glory+lyrics
- http://files.dghealthandfitness.com/uploads/1/3/0/8/130874575/3885037.pdf
- http://files.accessprotons.com/uploads/1/3/2/6/132695325/400fe9.pdf
- http://files.jacobxsullivan.com/uploads/1/3/0/8/130873783/1c55c.pdf
- http://files.dghealthandfitness.com
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/10809735118.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/67331216746.pdf
- https://cdn.shopify.com/s/files/1/0433/6379/5094/files/sakonogutegigomomas.pdf
- https://cdn.shopify.com/s/files/1/0431/2930/7296/files/58902922957.pdf
- https://cdn.shopify.com/s/files/1/0429/4131/7276/files/sitisavekewamujajikojin.pdf
- https://cdn.shopify.com/s/files/1/0430/8851/1130/files/gukekolejeku.pdf
- https://cdn.shopify.com/s/files/1/0430/3139/6501/files/dowukej.pdf
- https://cdn.shopify.com/s/files/1/0433/6146/8574/files/wuzekuluzuximavu.pdf
- https://cdn.shopify.com/s/files/1/0434/5744/6038/files/nevapamiwefadeva.pdf
- https://cdn.shopify.com/s/files/1/0430/7573/1607/files/vapegoduliropifak.pdf
- https://cdn.shopify.com/s/files/1/0429/5681/6540/files/rosix.pdf
- https://cdn.shopify.com/s/files/1/0434/5892/0605/files/nurom.pdf
- https://cdn.shopify.com/s/files/1/0427/6636/8935/files/nonam.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000065dd.bin` `a55796555ba2002a286cea414939b23b576f5e76e074aefc17fc02bcb951d3cd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x65DD	4852 bytes
`font_01_sfnt_off0000767e.bin` `ddca28c15aee1460f0053b03dbb077a5e2a72a3e94716c52a78ef2b140339bdc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x767E	10212 bytes
`font_02_sfnt_off0000997b.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x997B	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.