PDF malware analysis — malicious · f01c70df90a55369

MALICIOUS

PDF

46.1 KB Created: 2020-08-08 15:27:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7241bb9e8146533725733f37f697ff34 SHA-1: 8ca850ff3f87e10cfa8d9211e29203de59a02f33 SHA-256: f01c70df90a55369ff24dc2d64ae7b909da4535da6fe3228e372e062699a2411

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=edit+pdf+file+text+free'. This URL is presented in the document body as a tool to edit PDF files, likely as a lure. The file also contains a PDF link farm heuristic, indicating a large number of external links, with 'https://cdn.shopify.com/s/files/1/0435/6908/6619/files/48834009972.pdf' being one of the first identified. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=edit+pdf+file+text+free
- http://files.chadhanson.org/uploads/1/3/1/3/131383771/lomutitori.pdf
- http://files.suzannepurvis.com/uploads/1/3/2/7/132711954/4e29e280320.pdf
- http://mazuxire.augustasquarecondos.com/uploads/1/3/1/4/131406390/romaxekuduleri-zeraxajo.pdf
- http://files.nod-production.de/uploads/1/3/0/7/130775465/c4926.pdf
- https://cdn.shopify.com/s/files/1/0435/6908/6619/files/48834009972.pdf
- https://cdn.shopify.com/s/files/1/0431/5165/5076/files/durigiribuxabizanotid.pdf
- https://cdn.shopify.com/s/files/1/0431/8570/1025/files/xubagapudinoninovugadako.pdf
- https://cdn.shopify.com/s/files/1/0433/8620/8406/files/bhagavad_gita_book_in_tamil_free_download.pdf
- https://cdn.shopify.com/s/files/1/0437/6703/8106/files/oxford_phonics_world_4_student_book.pdf
- https://cdn.shopify.com/s/files/1/0433/2814/3510/files/zexaxusufuzun.pdf
- https://cdn.shopify.com/s/files/1/0438/9961/7448/files/34499721973.pdf
- https://cdn.shopify.com/s/files/1/0428/6801/5260/files/castellan_fundamentos_de_fisico_quimica.pdf
- https://cdn.shopify.com/s/files/1/0428/1230/9670/files/bojumujone.pdf
- https://cdn.shopify.com/s/files/1/0434/5511/9512/files/momazavofozefilaliw.pdf
- https://cdn.shopify.com/s/files/1/0432/2033/6807/files/figeperoleza.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000063de.bin` `79486383f408ca1194de7df0d1e93a19caed854726223db7aa84404320945ea3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x63DE	4672 bytes
`font_01_sfnt_off000073db.bin` `f8cdde6a390bca7740ef5a13c9ae256107e5d2338403a3deae53bcf11652824b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73DB	10232 bytes
`font_02_sfnt_off00009702.bin` `10572f3a10760712fbb8352e098d229fd21f48763f52fb6fd9385479015ceb58`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9702	16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.