PDF malware analysis — malicious · e8d46fffb5b95a1e

MALICIOUS

PDF

43.1 KB Created: 2020-08-15 01:53:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 17d5bc1b635966a68e37c162f085cb2e SHA-1: c2e48bff8c2428044be6c13456ea707e4f6ede59 SHA-256: e8d46fffb5b95a1e7fd914f40c798c316b73593810e85dc148f6f70822b8b795

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm of numerous PDF documents hosted on Shopify, likely intended to manipulate search engine results or lure victims. One of the primary links, 'https://ttraff.cc/pify?keyword=gear+patrol+gift+guide+2018', redirects to malicious infrastructure. The document body, though heavily corrupted, contains fragments of the gift guide title and the malicious URL, reinforcing the lure. The presence of a link farm and a malicious redirector indicates a phishing or redirection attack.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=gear+patrol+gift+guide+2018
- http://majarej.ioscaid.com/uploads/1/3/0/8/130874001/tajokodujase.pdf
- http://files.khamby.com/uploads/1/3/1/3/131379042/kuzipad.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/3183641906.pdf
- https://cdn.shopify.com/s/files/1/0434/9375/2997/files/niwoj.pdf
- https://cdn.shopify.com/s/files/1/0432/7351/9269/files/matufalidalokilezelozanev.pdf
- https://cdn.shopify.com/s/files/1/0434/1412/6759/files/jazimetox.pdf
- https://cdn.shopify.com/s/files/1/0437/6241/7825/files/38869623629.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tujekozovazufurujujazer.pdf
- https://cdn.shopify.com/s/files/1/0437/8122/6657/files/buku_pintar_agama_islam.pdf
- https://cdn.shopify.com/s/files/1/0435/4496/9367/files/band_gap_of_germanium.pdf
- https://cdn.shopify.com/s/files/1/0447/5407/5799/files/raleway_semibold_font_free.pdf
- https://cdn.shopify.com/s/files/1/0432/0854/0324/files/48504347308.pdf
- https://cdn.shopify.com/s/files/1/0432/9324/5590/files/badunu.pdf
- https://cdn.shopify.com/s/files/1/0437/5671/6183/files/lesutokanises.pdf
- https://cdn.shopify.com/s/files/1/0435/7727/8627/files/zutixilagabefo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006815.bin` `f1b09e19dc32179565e845a3f91659cc2df0de0717f7d822991e4ab9f29145f8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6815	5580 bytes
`font_01_sfnt_off00007b27.bin` `f052d70941a98cb0294e21162c624e90a0249c0b15f64f8f1590aab610d66351`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B27	10996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.