PDF malware analysis — malicious · e3efb9ff873a0762

MALICIOUS

PDF

45.0 KB Created: 2020-08-08 13:25:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 71f96f14cf285f566a4b3e9bb66b86ab SHA-1: 4125d9cf3c8c8f77971578b84d046b2b0cddd6a7 SHA-256: e3efb9ff873a0762effb03ddcdeb860925acd239034587545a929e8e1217cdbe

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com, and one critical link to a known malicious redirector at ttraff.com. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/wb?keyword=it's%20now%20or%20never%20sheet%20music%20pdf', suggesting a lure to trick users into clicking the malicious link. The presence of numerous external links indicates a potential SEO poisoning or link farm tactic to distribute malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wb?keyword=it
- http://files.paprikatravels.com/uploads/1/3/0/7/130775730/6132586c1.pdf
- http://files.stephanietingle.com/uploads/1/3/1/3/131380745/f684d7ec.pdf
- http://files.breatheserenity.com/uploads/1/3/1/3/131380308/130882.pdf
- http://files.reflexgames.info/uploads/1/3/2/7/132740249/e236be888.pdf
- https://cdn.shopify.com/s/files/1/0440/1538/6789/files/115_aspirational_districts_list.pdf
- https://cdn.shopify.com/s/files/1/0431/6443/4583/files/78597968127.pdf
- https://cdn.shopify.com/s/files/1/0431/6325/4944/files/1402121974.pdf
- https://cdn.shopify.com/s/files/1/0428/3754/1031/files/pibuf.pdf
- https://cdn.shopify.com/s/files/1/0430/7451/9194/files/business_model_examples.pdf
- https://cdn.shopify.com/s/files/1/0432/5995/3312/files/65418829820.pdf
- https://cdn.shopify.com/s/files/1/0438/1625/5650/files/kaweratewavezi.pdf
- https://cdn.shopify.com/s/files/1/0444/0326/1606/files/brand_positioning_questionnaire.pdf
- https://cdn.shopify.com/s/files/1/0434/9929/0776/files/kenmore_coldspot_manual.pdf
- https://cdn.shopify.com/s/files/1/0438/9853/6091/files/manifesto_pakatan_harapan_perak_2020.pdf
- https://cdn.shopify.com/s/files/1/0431/5417/8216/files/fofafanuriges.pdf
- https://cdn.shopify.com/s/files/1/0431/9081/2821/files/bajibopazinarodesapuwaf.pdf
- https://cdn.shopify.com/s/files/1/0428/4848/5535/files/56418916.pdf
- https://cdn.shopify.com/s/files/1/0430/9309/8660/files/79114986315.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000063f2.bin` `73624de66db75dc6bb804e44f2ae6e36bb6692aeed680dc34543a45c98bc53a2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x63F2	5276 bytes
`font_01_sfnt_off000075da.bin` `a5377c6d15c72da75affc7c606242dc2b000e46d1661c38dfe0b6fb41ed6221b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75DA	16072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.