PDF malware analysis — malicious · f949d326979f18a8

MALICIOUS

PDF

68.8 KB Created: 2020-08-21 19:48:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3de30afc88c5add1e887d7712010e9bd SHA-1: c2e98ac7322698917c3e20206183b421c1c86e3c SHA-256: f949d326979f18a8784023d925cc77ec8a9593a83b7166d4b144e7f1d61e129a

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains, but one critical link redirects to a known malicious domain (ttraff.cc). This suggests a link farm or redirection tactic to obscure the final malicious destination. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the intent to lure the user to a harmful site. The presence of a 'link farm' heuristic further supports the attack pattern of using numerous links to disguise malicious activity.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=bhc+powder+full+form
- http://files.paragonmedia.tv/uploads/1/3/1/4/131407709/fcf6fde4e514.pdf
- https://cdn.shopify.com/s/files/1/0434/7923/6774/files/business_loan_application_form_sample.pdf
- https://cdn.shopify.com/s/files/1/0430/2936/4885/files/jepakinogasaze.pdf
- https://cdn.shopify.com/s/files/1/0429/5265/5002/files/modejuxuratisi.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/83142526711.pdf
- https://cdn.shopify.com/s/files/1/0429/6481/1927/files/wuzosagepopikowu.pdf
- https://cdn.shopify.com/s/files/1/0427/6856/4380/files/juferolarikevaxaxozo.pdf
- https://cdn.shopify.com/s/files/1/0431/5817/5908/files/32679499025.pdf
- https://cdn.shopify.com/s/files/1/0430/0475/6121/files/ravi_prakash_name_ringtone.pdf
- https://cdn.shopify.com/s/files/1/0432/3239/5426/files/lilajubivanot.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/magobusiriwolozun.pdf
- https://cdn.shopify.com/s/files/1/0430/3365/7498/files/punominefaruvukapi.pdf
- https://cdn.shopify.com/s/files/1/0430/9860/3669/files/mabanalojabilazegu.pdf
- https://cdn.shopify.com/s/files/1/0430/7006/2754/files/fopozexusofuxudoxidupor.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ce70.bin` `68f61f9347d3089dc5787d7f5fa2a56c658e3d33f65d18a0f1f8ab81c5cb5885`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCE70	5148 bytes
`font_01_sfnt_off0000dfe0.bin` `86320322913c209f2eec7b913e8de9f7fbb5863942dd58dc8911e639a3954d5f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDFE0	11440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.