PDF malware analysis — malicious · fc221ad78ce98d71

MALICIOUS

PDF

46.4 KB Created: 2020-08-08 02:13:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 814d5424e5577e391700b6fbdec60479 SHA-1: ff23a87ffd72a6f2210c2727dc2f890932573724 SHA-256: fc221ad78ce98d71c1427880ac01868880e48f58bbe4d1ba1181eedad9cda97c

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains multiple embedded URLs, with a critical heuristic firing for a malicious redirector link. The document body, though heavily obfuscated, contains text that appears to be a lure for 'Vocabulary for IELTS reading pdf'. The primary malicious URL identified is https://ttraff.cc/pify?keyword=vocabulary+for+ielts+reading+pdf, which likely leads to further malicious content. The file also contains a large number of external PDF links, suggesting a link farm or SEO poisoning attempt.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=vocabulary+for+ielts+reading+pdf
- http://files.wkt.co.nz/uploads/1/3/1/8/131872021/fuzedurud_setulovanoku_voras_bigixijigoletik.pdf
- http://files.nicholsonflowers.co.uk/uploads/1/3/2/6/132681308/6400085.pdf
- http://files.thecottagebaker.net/uploads/1/3/1/6/131637194/zewogivugo-kubibimugitu.pdf
- http://files.absoluteripple.com/uploads/1/3/1/3/131398214/lagobezatoboxajep.pdf
- https://cdn.shopify.com/s/files/1/0434/0737/6546/files/gagoxakelal.pdf
- https://cdn.shopify.com/s/files/1/0438/3778/4224/files/gm_service_manual.pdf
- https://cdn.shopify.com/s/files/1/0435/5820/7643/files/writers_workshop_conference_form.pdf
- https://cdn.shopify.com/s/files/1/0432/7673/0533/files/forever_21_job_application.pdf
- https://cdn.shopify.com/s/files/1/0440/7663/0181/files/rubejimenurulokapalewuv.pdf
- https://cdn.shopify.com/s/files/1/0427/3229/0215/files/99842035204.pdf
- https://cdn.shopify.com/s/files/1/0433/8014/6334/files/52969526570.pdf
- https://cdn.shopify.com/s/files/1/0431/5804/4827/files/85699999419.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/36103472339.pdf
- https://cdn.shopify.com/s/files/1/0434/2785/6536/files/62916354788.pdf
- https://cdn.shopify.com/s/files/1/0428/6706/4998/files/nokugomaraliman.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/18187133080.pdf
- https://cdn.shopify.com/s/files/1/0437/1588/7256/files/asante_kingdom.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006e84.bin` `da3833740bb7b52ad0df75a2f94ae49fff356ec790e8d43796fa8cdf38af6305`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6E84	5528 bytes
`font_01_sfnt_off00008168.bin` `47695ae924f406a3be64c68342351f081fad715b000a7f930f9773d2f89ac624`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8168	13504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.