PDF malware analysis — malicious · e86e6b83b81d2556

MALICIOUS

PDF

41.2 KB Created: 2020-07-09 14:50:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 54974094505e965cd8b75bb11ec25064 SHA-1: 62e30ba9183be45b0d5e48520eb6a7891d88ae34 SHA-256: e86e6b83b81d255686553115fed7b2965d9fb14980343fd86db159a8aa209740

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a deceptive document body masquerading as an oven manual, which includes a link to a known malicious redirector. The file also hosts a large number of links to other PDF files, likely for SEO manipulation or to distribute further malicious content. The primary malicious link is https://ttraff.cc/wb?keyword=belling%20oven%20owners%20manual, which redirects to potentially harmful sites.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wb?keyword=belling%20oven%20owners%20manual
- http://files.cathstonardtextilearts.com/uploads/1/3/1/8/131872096/2f92002681.pdf
- http://files.smartdesigns365.com/uploads/1/3/1/3/131379663/gesogotavetem.pdf
- http://files.3gsstaystrong.com/uploads/1/3/2/6/132695467/8810219.pdf
- http://files.headtotoeoldschool.com/uploads/1/3/1/1/131163957/d5410eae4.pdf
- http://files.damselflyyogaspa.com/uploads/1/3/0/8/130874647/nikowojorezak.pdf
- http://files.drlesgarson.com/uploads/1/3/0/7/130776123/1719573.pdf
- http://files.layover-tour-beijing.com/uploads/1/3/2/6/132680852/xujumeteve_ximavoboxeb_dizelipesi.pdf
- http://files.rivermenrodandgunclub.com/uploads/1/3/2/3/132302973/nomegariwutok-wibiwu-visinatixubuj-sojimuta.pdf
- https://divosurepewa.files.wordpress.com/2020/07/safaxudim.pdf
- https://gabotisiv.files.wordpress.com/2020/07/45230495116.pdf
- https://vutokavajino.files.wordpress.com/2020/07/bikitoximosi.pdf
- https://sifizuxu.files.wordpress.com/2020/07/rimijazejerisataxelufaduv.pdf
- https://kixudufeluj670282504.files.wordpress.com/2020/07/27191315536.pdf
- https://jopokujepe.files.wordpress.com/2020/06/12662860779.pdf
- https://lokewigokun.files.wordpress.com/2020/07/81650661539.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/83971047952.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/60359225188.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/3152232763.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/90442425312.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000643f.bin` `4b8344066dbeabf6d3adba11ed57ae9e54ac63acc75e55c5b84fb3989a53141f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x643F	5008 bytes
`font_01_sfnt_off00007538.bin` `ea10318aebee87b3e1463c37901a11ceea623a5ec5fb8e94e0beb1c86587a88e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7538	10264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.