PDF malware analysis — malicious · f1cd049217b34989

MALICIOUS

PDF

53.1 KB Created: 2020-07-31 04:50:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9fbc12cc84ff82f3d3dd257e3003dec3 SHA-1: b045c5c6d296445bd15013fdb33b715552062ee2 SHA-256: f1cd049217b349893aa448ce73e7b185a4cf5aab96c946e81bf01d91b534aa3c

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one URL pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text that suggests it is a form. The primary malicious URL is ttraff.cc, which redirects to a payload. The presence of multiple PDF links hosted on Shopify and other file-sharing services indicates a link farm designed to distribute malicious content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=a+101+ba%25C5%259Fvuru+formu+pdf
- http://files.beewedapp.com/uploads/1/3/0/7/130738913/famidi-lisajineb-jokudufawebukev-tejaxexar.pdf
- http://files.poisewithapurpose.com/uploads/1/3/0/7/130739525/negojer_rowikulizi_wafalalowukafaz.pdf
- http://files.jeffgrclittleleague.org/uploads/1/3/1/0/131071157/1502416.pdf
- https://cdn.shopify.com/s/files/1/0434/1052/2277/files/muzibisetozazozogelekuzu.pdf
- https://cdn.shopify.com/s/files/1/0432/8292/3676/files/warediwufuzupomaduw.pdf
- https://cdn.shopify.com/s/files/1/0429/7264/3491/files/wotatugawiwu.pdf
- https://cdn.shopify.com/s/files/1/0435/5496/3617/files/7114602196.pdf
- https://cdn.shopify.com/s/files/1/0432/1044/0862/files/dobegetigoruzejenilug.pdf
- https://cdn.shopify.com/s/files/1/0433/8139/1514/files/fanazeju.pdf
- https://cdn.shopify.com/s/files/1/0429/1641/3607/files/lepawimipek.pdf
- https://cdn.shopify.com/s/files/1/0432/7777/9100/files/xewapixuw.pdf
- https://cdn.shopify.com/s/files/1/0429/8076/9951/files/jaziwexef.pdf
- https://cdn.shopify.com/s/files/1/0433/3328/8088/files/21237279538.pdf
- https://cdn.shopify.com/s/files/1/0433/9249/9877/files/gebifibanabiwitopijomujed.pdf
- https://cdn.shopify.com/s/files/1/0435/6397/4805/files/83455380709.pdf
- https://cdn.shopify.com/s/files/1/0440/5913/2056/files/2811146712.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000762c.bin` `0bfdcfbd5d50828b8884e331b1f1c637f5112ec3606823aa8ecbe1c7f367cc4f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x762C	5140 bytes
`font_01_sfnt_off0000878e.bin` `b81ca146cffe2bb202765e2041cbf3085881f5a48c4bb65341ca7015d4cbad9f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x878E	13752 bytes
`font_02_sfnt_off0000b08f.bin` `9b6ad5722d12b30ebaf898f562fd4d85af749794f3aca0f1f676e444c262175b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB08F	16088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.