PDF malware analysis — malicious · f1fe5ebbff624df5

MALICIOUS

PDF

49.6 KB Created: 2020-08-15 02:57:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5f322929fbae546621246a384e927306 SHA-1: 0e0331eb407345718fe5c9a3bbf0e662b512c62e SHA-256: f1fe5ebbff624df57ee501cd837932d6cc87b43038e37b48d1943609029c2452

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a link farm hosted on Shopify. One of the primary links, https://ttraff.com/pify?keyword=cours+d%2527+orthographe+fran%25C3%25A7ais+pdf, is identified as a malicious redirector. This suggests the document is designed to drive traffic to malicious infrastructure, likely for phishing or malware distribution. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=cours+d%2527+orthographe+fran%25C3%25A7ais+pdf
- http://files.stanleeohikhuare.com/uploads/1/3/1/4/131454012/wogem-nimomi-wolore-daluzori.pdf
- http://files.allencblack.com/uploads/1/3/0/8/130874647/tifuvurafodosomajit.pdf
- http://files.helpryansee.com/uploads/1/3/0/8/130814132/26a9080bd.pdf
- http://files.stjohnselma.org/uploads/1/3/1/3/131379443/demutafexeve.pdf
- https://cdn.shopify.com/s/files/1/0438/1717/3149/files/49258032870.pdf
- https://cdn.shopify.com/s/files/1/0436/2466/1154/files/baixar_para_android.pdf
- https://cdn.shopify.com/s/files/1/0438/6521/1035/files/87850666713.pdf
- https://cdn.shopify.com/s/files/1/0432/2679/2100/files/lopaw.pdf
- https://cdn.shopify.com/s/files/1/0430/3477/1610/files/gesuxovebegubiga.pdf
- https://cdn.shopify.com/s/files/1/0434/7743/4525/files/16776268139.pdf
- https://cdn.shopify.com/s/files/1/0428/8158/1209/files/kuxevedu.pdf
- https://cdn.shopify.com/s/files/1/0436/2862/6080/files/43915611240.pdf
- https://cdn.shopify.com/s/files/1/0438/8693/6219/files/16755185.pdf
- https://cdn.shopify.com/s/files/1/0431/0820/4708/files/maintenance_page_template.pdf
- https://cdn.shopify.com/s/files/1/0431/8684/7905/files/xutibekatonov.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006716.bin` `d0f8e16af05c057256a28446c5ef28c12163bcaaff3b5c0f700c24aca3678f09`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6716	5392 bytes
`font_01_sfnt_off0000796e.bin` `de91b58aba2831d1a3ff28a2f772f5bdc22794dcfb6dc30af3f4c2aaf33c4040`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x796E	2036 bytes
`font_02_sfnt_off0000830e.bin` `6b83aee94bddd6aec59eed1c35e338328db5a09b5adf12bbbe162926ba502ebb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x830E	12228 bytes
`font_03_sfnt_off0000a8cc.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA8CC	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.