PDF malware analysis — malicious · e894efcd7d7e875b

MALICIOUS

PDF

46.3 KB Created: 2020-08-08 18:13:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7d9d04f348aca84519b6a52321900bbf SHA-1: a11a13214bc31c0f15312d8c347e7f5e98133e20 SHA-256: e894efcd7d7e875b79a10cf16ac85101d5f5119bf8376fcf0fa34faf13255218

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=automotive+diesel+engine+parts+and+functions+pdf'. This indicates the document's primary purpose is to redirect users to potentially harmful content. The PDF also contains a link farm heuristic, suggesting an attempt to generate traffic or distribute further malicious links. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=automotive+diesel+engine+parts+and+functions+pdf
- http://files.sheltonford11.com/uploads/1/3/0/8/130814393/9182351.pdf
- http://files.runawaysport.co.za/uploads/1/3/2/6/132696598/dozisix.pdf
- http://files.bignessart.com/uploads/1/3/0/9/130969835/2f9dfdf75c6d.pdf
- https://cdn.shopify.com/s/files/1/0431/9277/8901/files/sexeratokujezimobod.pdf
- https://cdn.shopify.com/s/files/1/0435/1796/8543/files/10cc_dreadlock_holiday.pdf
- https://cdn.shopify.com/s/files/1/0430/6652/3809/files/book_review_example_college_level.pdf
- https://cdn.shopify.com/s/files/1/0436/6978/2693/files/nemugomotovosebu.pdf
- https://cdn.shopify.com/s/files/1/0434/6760/4128/files/fepawobapalexeros.pdf
- https://cdn.shopify.com/s/files/1/0434/1907/4712/files/comprehensive_outpost_construction_guide.pdf
- https://cdn.shopify.com/s/files/1/0434/6196/8025/files/gisidegupujawijubaviguga.pdf
- https://cdn.shopify.com/s/files/1/0435/0767/9397/files/42773515732.pdf
- https://cdn.shopify.com/s/files/1/0435/1400/3610/files/pplum_amlie_nothomb.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mabiwabupo.pdf
- https://cdn.shopify.com/s/files/1/0437/7827/7525/files/fitness_theory_and_practice_2010.pdf
- https://cdn.shopify.com/s/files/1/0431/4087/4408/files/kedawumevisoruviselu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0431/4087/4408/fi

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006762.bin` `b96b3b7ac693890f323d0c16ce73e7af238a9427252c87bde834feb14e7defa9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6762	5408 bytes
`font_01_sfnt_off000079b4.bin` `a54b41f27e6be2072c3c5293f4e59b2f54cd5046a427d176af2c47fcc9bda122`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79B4	10804 bytes
`font_02_sfnt_off00009d8c.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9D8C	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.