PDF malware analysis — malicious · e7dd35aa7a4b2f2d

MALICIOUS

PDF

43.5 KB Created: 2020-08-20 22:28:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3a465ad337aa558dfcab8c8d7303c907 SHA-1: e926f5fd4bcf97a46547dbfa9bf6b710ec84e936 SHA-256: e7dd35aa7a4b2f2d11d473ed2c4e2d20f6b1ab89dfe0ab8a253e457003d92b95

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of embedded links, many of which point to benign Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/pify?keyword=adineue+pro+bold+font', which is flagged as a malicious redirector. This suggests the document is designed to lure users to malicious infrastructure, likely for further exploitation or credential harvesting.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=adineue+pro+bold+font
- http://files.fijisearoad.com/uploads/1/3/0/8/130814003/xupasigomad.pdf
- http://wipok.erinwestgate.com/uploads/1/3/1/4/131406717/8196325.pdf
- http://files.spi-researchcentre.com/uploads/1/3/1/6/131636655/2414909.pdf
- http://files.riballet.com/uploads/1/3/2/6/132695636/zosemozak-joxogimojetemud-jagotuxuwuxusos-bupixe.pdf
- https://cdn.shopify.com/s/files/1/0435/4693/5447/files/14661806767.pdf
- https://cdn.shopify.com/s/files/1/0432/2073/0011/files/90203682430.pdf
- https://cdn.shopify.com/s/files/1/0439/9906/8310/files/98504328407.pdf
- https://cdn.shopify.com/s/files/1/0439/6112/2974/files/can_i_download_purble_place.pdf
- https://cdn.shopify.com/s/files/1/0427/5575/2103/files/hd_avi_movies_2015.pdf
- https://cdn.shopify.com/s/files/1/0438/6072/1829/files/16770934132.pdf
- https://cdn.shopify.com/s/files/1/0435/3199/3242/files/partnership_deed_in_gujarati_language.pdf
- https://cdn.shopify.com/s/files/1/0428/6827/7415/files/autodesk_inventor_certification_practice_test.pdf
- https://cdn.shopify.com/s/files/1/0436/1873/0147/files/alphabet_design_a_to_z_image.pdf
- https://cdn.shopify.com/s/files/1/0429/7215/1959/files/kosodosexul.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gofusibosaduxigagixuvoma.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000564c.bin` `7dad818ef59bebceb65b34dd9ff6c6fff69e1fce549167b2dfe9b987fa3f7aad`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x564C	4776 bytes
`font_01_sfnt_off0000668b.bin` `2bd2b23f6bdf731c43f1243a4749ad0a6e74696bf408a2d524e5a8f75d39caef`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x668B	11080 bytes
`font_02_sfnt_off00008c5f.bin` `fb27248ec02d804caa0ce6a8dd06a8f0f211157336bc50f6c382585ff5fe3da3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8C5F	16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.