PDF malware analysis — malicious · f340ab652476ae3e

MALICIOUS

PDF

64.8 KB Created: 2020-08-02 03:38:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3ae126c462962318b47ff2d4966734db SHA-1: baff38da67c1f7be344b7aceddbf513b916864af SHA-256: f340ab652476ae3e22841b34bfce0c4366edec81bb222acd1028c1f9e2a3eeb0

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF contains a malicious redirector link that is disguised as a 'Florida new hire reporting form 2016 pdf'. This link, 'https://ttraff.cc/pify?keyword=florida+new+hire+reporting+form+2016+pdf', leads to known malicious infrastructure. The document also contains a large number of embedded links, many pointing to Shopify domains, suggesting an attempt to obscure the malicious destination or leverage SEO tactics. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=florida+new+hire+reporting+form+2016+pdf
- http://files.stephendarbyministries.com/uploads/1/3/1/3/131382841/banepa-rebij-kixokeviweb-rolamo.pdf
- http://files.onebigtreedesigns.com/uploads/1/3/0/7/130775632/28b98d.pdf
- http://files.torontocycling.org/uploads/1/3/2/6/132682210/02d44a9b3.pdf
- http://files.bouzasclasses.com/uploads/1/3/0/9/130969297/zojekutigim_bikilubedises_tefumavakeka.pdf
- https://cdn.shopify.com/s/files/1/0428/6971/9196/files/91148069310.pdf
- https://cdn.shopify.com/s/files/1/0431/4752/6305/files/21993984999.pdf
- https://cdn.shopify.com/s/files/1/0432/2862/7107/files/71537343407.pdf
- https://cdn.shopify.com/s/files/1/0437/8607/6309/files/24466138065.pdf
- https://cdn.shopify.com/s/files/1/0428/8774/1599/files/doginixipalasekuv.pdf
- https://cdn.shopify.com/s/files/1/0433/4452/7511/files/15612750404.pdf
- https://cdn.shopify.com/s/files/1/0431/0905/6668/files/5967349813.pdf
- https://cdn.shopify.com/s/files/1/0429/0258/5500/files/55290158055.pdf
- https://cdn.shopify.com/s/files/1/0431/5011/4978/files/70945777726.pdf
- https://cdn.shopify.com/s/files/1/0435/2439/1071/files/munopomuzofi.pdf
- https://cdn.shopify.com/s/files/1/0437/3368/0282/files/70878332945.pdf
- https://cdn.shopify.com/s/files/1/0429/6884/2393/files/nugilaramevuxopimut.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a830.bin` `5394d30382de0792f0ec955399d52963e995495e63dafb1bc71af94b219e4e45`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA830	5592 bytes
`font_01_sfnt_off0000bb24.bin` `d661dce4ed917e4a02d30759752a4aea263ff237d343b43ee4ac2af7e14bfab8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBB24	14324 bytes
`font_02_sfnt_off0000e7c8.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE7C8	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.