PDF malware analysis — malicious · f833f97b7300ed8e

MALICIOUS

PDF

46.3 KB Created: 2020-08-04 13:02:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 783a46b3e76b8acb5aff3332519ae578 SHA-1: e2f24cde84f7980ed983b1a60d88b0c9929229d3 SHA-256: f833f97b7300ed8e674a75c9f1d1858a45ac5f106516397ffdaab58e4bf6eccc

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com, and one critical link to a known malicious redirector at ttraff.com. This indicates a phishing or scam attempt, likely to direct users to malicious content. No scripts were extracted, but the PDF structure and embedded links strongly suggest a social engineering attack.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=l+architecture+baroque+pdf
- http://files.enviromech.co.uk/uploads/1/3/0/7/130776208/4c3a855329eaae6.pdf
- http://files.thejourneyinternational.org/uploads/1/3/1/4/131438093/21f7ee05cee8d33.pdf
- http://sipuj.bridgetownacupuncture.com/uploads/1/3/1/1/131164243/wobet-jogosibunipimo-xujomib.pdf
- http://files.belluccisrl.com/uploads/1/3/0/7/130739204/nemopazisud_nejerajuxepor_toxepef_boxakekisepu.pdf
- http://files.butterfliesandbumblebeesdaycare.com/uploads/1/3/0/8/130873922/2d9f5.pdf
- https://cdn.shopify.com/s/files/1/0434/0629/5201/files/62540185888.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/96951977507.pdf
- https://cdn.shopify.com/s/files/1/0431/3556/5978/files/bdb2_to.pdf
- https://cdn.shopify.com/s/files/1/0434/0878/5562/files/78483509664.pdf
- https://cdn.shopify.com/s/files/1/0429/3358/4035/files/xejeleza.pdf
- https://cdn.shopify.com/s/files/1/0437/8161/9873/files/wafavuxivevekovane.pdf
- https://cdn.shopify.com/s/files/1/0433/3197/7370/files/57485184830.pdf
- https://cdn.shopify.com/s/files/1/0433/4642/8072/files/ardy_medium_diary.pdf
- https://cdn.shopify.com/s/files/1/0431/1659/3312/files/lubuvijaxefupibofad.pdf
- https://cdn.shopify.com/s/files/1/0428/1165/4307/files/az_900_microsoft_azure_fundamentals_book.pdf
- https://cdn.shopify.com/s/files/1/0429/7365/9290/files/23280115657.pdf
- https://cdn.shopify.com/s/files/1/0434/7848/3096/files/17824999191.pdf
- https://cdn.shopify.com/s/files/1/0430/7261/8657/files/vakekegidozibemave.pdf
- https://cdn.shopify.com/s/files/1/0440/7135/4533/files/83307897861.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000073dc.bin` `37ef64f845f45ccaf7a4c696117b9e07717e3af94b710bcbcd4be3d6b62ee263`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73DC	5240 bytes
`font_01_sfnt_off000085a4.bin` `51c9ce70564ff996da79cc15e5f6a669aeb8c536e659c2bb887bdb7e533f4d10`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x85A4	11348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.