PDF malware analysis — malicious · f52327c6aae5f3ca

MALICIOUS

PDF

43.8 KB Created: 2020-08-04 13:16:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8c41cdf74d9883f6fc1925bc21b7aba1 SHA-1: 45b4f030651b374c33b809e04213f532c8f1af47 SHA-256: f52327c6aae5f3cabaa9ae351d14f3e17ae32fdecfef74de244091ee39eaf8f8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, including a critical redirector link to 'https://ttraff.cc/pify?keyword=class+10+science+project+pdf'. This suggests a phishing or scam attempt, likely to redirect users to malicious content. No scripts were extracted, but the presence of numerous links, many hosted on Shopify, indicates a link farm designed to attract traffic or distribute malware. The document body is heavily obfuscated but contains the same redirector URL.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=class+10+science+project+pdf
- http://files.isadorazhao.com/uploads/1/3/0/8/130813846/benanejadixotibi.pdf
- http://files.kabostudio.com/uploads/1/3/2/6/132696029/4315375.pdf
- http://files.ourplacestoremember.com/uploads/1/3/2/6/132681150/c5a5bee0.pdf
- https://cdn.shopify.com/s/files/1/0434/7723/7917/files/bukowopopekemifuxezar.pdf
- https://cdn.shopify.com/s/files/1/0433/0625/4494/files/xovigirufadesuvitilas.pdf
- https://cdn.shopify.com/s/files/1/0438/3647/3501/files/c_check_if_string_is_numeric.pdf
- https://cdn.shopify.com/s/files/1/0429/6717/1223/files/44370403664.pdf
- https://cdn.shopify.com/s/files/1/0430/9227/9445/files/12922592533.pdf
- https://cdn.shopify.com/s/files/1/0430/2825/0781/files/666394004.pdf
- https://cdn.shopify.com/s/files/1/0428/1604/5222/files/criminal_investigation_swanson_11th_edition_download.pdf
- https://cdn.shopify.com/s/files/1/0435/4647/6708/files/zurata.pdf
- https://cdn.shopify.com/s/files/1/0431/4071/0566/files/liganitanekoxanarisi.pdf
- https://cdn.shopify.com/s/files/1/0433/0913/8084/files/rixamojatutiti.pdf
- https://cdn.shopify.com/s/files/1/0437/9312/1442/files/pefugatunekapobixa.pdf
- https://cdn.shopify.com/s/files/1/0436/2502/1603/files/troybilt_sickle_bar_mower.pdf
- https://cdn.shopify.com/s/files/1/0428/2574/4540/files/xisutebebulubogeki.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000060a1.bin` `e1a66c26d0ec2712d4954ad7e3561dbb2b24ec801df39ac5e4232269f4899c35`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x60A1	5228 bytes
`font_01_sfnt_off00007272.bin` `d8b8a3790b5259747bd90ba186cc0a0d97e94250d49a5c34690d89e7b56d48d1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7272	9912 bytes
`font_02_sfnt_off00009461.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9461	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.