PDF malware analysis — malicious · e5947089f47630e1

MALICIOUS

PDF

46.3 KB Created: 2020-08-21 03:04:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 20512dad918ff62dd95d624ab63866d9 SHA-1: f6485fd9f8cecdcd425030abae307deb96eba90b SHA-256: e5947089f47630e174b3c69a3ef8750eb7c93312f2aabfb319ce4d1d39620e20

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains a link farm and a malicious redirector pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains the same lure text and URLs found in the heuristics, suggesting a social engineering attack to trick users into downloading potentially malicious content. The primary malicious URL is 'https://ttraff.com/pify?keyword=good+will+hunting+movie+free++hd'.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=good+will+hunting+movie+free++hd
- http://files.zihuaroofs.com/uploads/1/3/1/3/131381706/8764045.pdf
- http://files.wildflowercentury.org/uploads/1/3/1/0/131070722/moxede-pukikosexolu-navitilu.pdf
- https://cdn.shopify.com/s/files/1/0430/9739/1261/files/gowiw.pdf
- https://cdn.shopify.com/s/files/1/0431/5627/5362/files/55947671069.pdf
- https://cdn.shopify.com/s/files/1/0435/3461/4688/files/90551599561.pdf
- https://cdn.shopify.com/s/files/1/0434/8457/7956/files/mipiwepade.pdf
- https://cdn.shopify.com/s/files/1/0431/8032/7070/files/vigefujoma.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vevisip.pdf
- https://cdn.shopify.com/s/files/1/0436/0388/6238/files/favaw.pdf
- https://cdn.shopify.com/s/files/1/0430/8375/9765/files/tony_hawk_pro_skater_2_rom.pdf
- https://cdn.shopify.com/s/files/1/0431/3019/2039/files/wukikuleduxuzow.pdf
- https://cdn.shopify.com/s/files/1/0431/2861/9168/files/mikunebojabubupimuwa.pdf
- https://cdn.shopify.com/s/files/1/0428/1358/7623/files/15474455180.pdf
- https://cdn.shopify.com/s/files/1/0436/1604/3168/files/after_effect_3d_text_template.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000608f.bin` `f5fcbf6d19c86825c26818c25f2a229c422fdaa19fd147061552644fe8e017a0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x608F	5116 bytes
`font_01_sfnt_off000071e3.bin` `3302e3abd3917a045485b173ab6431549a93e0bb60724753a405e6d6dd804a2d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71E3	10668 bytes
`font_02_sfnt_off00009653.bin` `40ff63d66a5f2bb1c2722c040effcf7eb0af707645e5768d5ec1c0f3bf38e8ad`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9653	16192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.