PDF malware analysis — malicious · ec2769da2a081c25

MALICIOUS

PDF

63.6 KB Created: 2020-08-08 18:18:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 94c242395970728374bea2e18971ba00 SHA-1: 4ac6bd3769565582b66fecda572cada44c6bdf88 SHA-256: ec2769da2a081c2525f312f728b81932f06aabb700671a2be8668701b8b892a1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically identified as a malicious redirector pointing to 'https://ttraff.com/pify?keyword=o+liberalismo+contempor%25C3%25A2neo+antonio+paim+pdf'. This indicates a likely attempt to direct users to malicious content or phishing sites. The presence of a link farm further supports this malicious intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=o+liberalismo+contempor%25C3%25A2neo+antonio+paim+pdf
- http://sasuvodo.1320am.com/uploads/1/3/1/4/131453540/effef88f0.pdf
- http://files.oboeandbassooncamp.com/uploads/1/3/1/4/131437865/20d7062beb9dcd0.pdf
- http://maset.samuelpakart.com/uploads/1/3/0/7/130776257/2596530.pdf
- http://files.coasttocoasthauoratrust.com/uploads/1/3/1/6/131606429/nodopilaletigijig.pdf
- http://files.bendavidsonministries.com/uploads/1/3/1/0/131071252/196a61b56c045.pdf
- https://cdn.shopify.com/s/files/1/0436/9648/8613/files/84246130046.pdf
- https://cdn.shopify.com/s/files/1/0431/6128/8868/files/77537325590.pdf
- https://cdn.shopify.com/s/files/1/0427/5562/1031/files/40107130315.pdf
- https://cdn.shopify.com/s/files/1/0434/0023/3112/files/terigub.pdf
- https://cdn.shopify.com/s/files/1/0434/9113/1557/files/kadabatibubeju.pdf
- https://cdn.shopify.com/s/files/1/0428/3400/2086/files/7140408782.pdf
- https://cdn.shopify.com/s/files/1/0431/2721/0144/files/the_dark_side_of_globalization.pdf
- https://cdn.shopify.com/s/files/1/0431/7652/5984/files/34079307609.pdf
- https://cdn.shopify.com/s/files/1/0432/0831/0943/files/is_there_any_video_editor_without_watermark.pdf
- https://cdn.shopify.com/s/files/1/0433/8568/4124/files/offensive_security_certified_professional.pdf
- https://cdn.shopify.com/s/files/1/0432/9072/2469/files/paposiruwinifipedinuz.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009e8d.bin` `31d1d6dae1153c35aa1d401bcb5c0b0385def628fb4d64d4994752e0cd6f431a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9E8D	5496 bytes
`font_01_sfnt_off0000b089.bin` `f883b360d014de130dba116f4e4e9978a47bad103af9885a4aade5a07011258c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB089	16772 bytes
`font_02_sfnt_off0000e0f3.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE0F3	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.