PDF malware analysis — malicious · ed6a7bbbfe7cdae6

MALICIOUS

PDF

72.2 KB Created: 2020-07-30 04:53:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5d2b12f78e1010585880b3945c6315fd SHA-1: 245df3daf7640d1b9ae8a6b85a4b3efaa37bb464 SHA-256: ed6a7bbbfe7cdae6b37da465c5c29390528482ec96c31ad18fa316c1961a1d88

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified as a PDF SEO link farm. One of these links, `https://ttraff.com/pify?keyword=rational+and+irrational+numbers+quiz+pdf`, points to a known malicious redirector. The document body, though heavily obfuscated, suggests a quiz theme, likely a lure to entice users to click the malicious links. The primary attack pattern involves redirecting users to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=rational+and+irrational+numbers+quiz+pdf
- http://files.luketti.com/uploads/1/3/1/4/131452735/bisadujil.pdf
- http://files.kigercreekflyshop.com/uploads/1/3/0/9/130969370/vimepilajobu.pdf
- http://files.kathleenstuartart.com/uploads/1/3/1/3/131382447/42152b744d22fec.pdf
- http://files.titopools.com/uploads/1/3/0/7/130775509/felevizilatopev.pdf
- http://files.thegoodlifebloggers.co.uk/uploads/1/3/0/7/130740049/e3253cb.pdf
- https://cdn.shopify.com/s/files/1/0429/5737/3589/files/34486011772.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/90142435821.pdf
- https://cdn.shopify.com/s/files/1/0428/4894/4295/files/79377391770.pdf
- https://cdn.shopify.com/s/files/1/0433/6893/9672/files/4053599924.pdf
- https://cdn.shopify.com/s/files/1/0432/0165/9043/files/detexobupusifepowotusi.pdf
- https://cdn.shopify.com/s/files/1/0432/0185/5646/files/dapetemovunezisetefuvov.pdf
- https://cdn.shopify.com/s/files/1/0439/2642/1672/files/pavesokulum.pdf
- https://cdn.shopify.com/s/files/1/0434/5567/6568/files/43511512197.pdf
- https://cdn.shopify.com/s/files/1/0429/6579/4965/files/28928236767.pdf
- https://cdn.shopify.com/s/files/1/0433/9236/8798/files/37109042939.pdf
- https://cdn.shopify.com/s/files/1/0431/8239/1451/files/puluxunakorigesu.pdf
- https://cdn.shopify.com/s/files/1/0430/5597/2501/files/95974749897.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b7bc.bin` `ec42390d1ff26b3f4d4673d38cacbdf1a35198afcf3d97ae3e9d33750ec3b237`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB7BC	5392 bytes
`font_01_sfnt_off0000c9f5.bin` `26e1dbad670c1969dcfcbcfa05d580f29ffdd62fcc80f74b035d6cf7de917bf4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC9F5	16520 bytes
`font_02_sfnt_off0000fd77.bin` `532315dfdc59b350d447ad91845dd8cc72a836e684f536ab9a4305dc5b53fb8e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFD77	16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.