PDF malware analysis — malicious · eeb985955bda6f14

MALICIOUS

PDF

38.2 KB Created: 2020-08-01 09:17:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 2418c0e8fe317c7c324b1c6503177758 SHA-1: 24a913891d0acacd0fd6d991fe897c078ea5aab1 SHA-256: eeb985955bda6f14646edc297ef7bacf7cff961a0beb8c82c3ed8e900a18b84a

162 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a malicious redirector link to 'ttraff.com' and a large number of external PDF links, suggesting a link farm or redirection tactic. The document body and heuristics indicate a lure to install or connect with a remote support tool, which is high-risk in an unsolicited document. The primary malicious IOC is the redirector URL, which likely leads to further stages of the attack.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Remote-support tool lure high SE_REMOTE_SUPPORT_LURE

Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=virtualbox+mouse+capture
- http://files.aaadentalbahamas.com/uploads/1/3/1/3/131384340/b484aac553bf5.pdf
- http://files.thermbio.org/uploads/1/3/1/3/131382217/878155.pdf
- http://files.bishopgumbleton.com/uploads/1/3/1/3/131379371/tokasinipegog.pdf
- https://cdn.shopify.com/s/files/1/0427/6604/1244/files/tezimifowapadowisudiluze.pdf
- https://cdn.shopify.com/s/files/1/0437/5520/8858/files/degewamugirulepuz.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vinujavezo.pdf
- https://cdn.shopify.com/s/files/1/0437/8814/0696/files/marilyn_manson_sweet_dreams._mp3.pdf
- https://cdn.shopify.com/s/files/1/0432/3305/0779/files/rudosiwamerigizoromekisi.pdf
- https://cdn.shopify.com/s/files/1/0435/5883/0231/files/creme_de_la_cocoa.pdf
- https://cdn.shopify.com/s/files/1/0436/2820/0096/files/wosikixevez.pdf
- https://cdn.shopify.com/s/files/1/0428/6775/3116/files/bamozuzateziwikajutu.pdf
- https://cdn.shopify.com/s/files/1/0433/8922/3066/files/47715022327.pdf
- https://cdn.shopify.com/s/files/1/0431/0378/1015/files/zodoletagakimi.pdf
- https://cdn.shopify.com/s/files/1/0431/6043/6896/files/tivudo.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/99839510681.pdf
- https://cdn.shopify.com/s/files/1/0428/6667/1782/files/27063487037.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005812.bin` `84422a543621187fc639ddc4a9d04a861229e2ee4a3e73adfb99a4f61856d2c7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5812	5252 bytes
`font_01_sfnt_off000069d7.bin` `159b19f9ac62009c273b52c472ef0e4337a15cf4ebba2917837c97d302b3d9dc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x69D7	10104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.