PDF malware analysis — malicious · fd004c0586ab9788

MALICIOUS

PDF

50.0 KB Created: 2020-08-13 19:07:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4e9122780b88db0c90493e20a8bf74ab SHA-1: 0ce619977d8398049f89055d4f9e4e029b0381e3 SHA-256: fd004c0586ab9788a9b7a29349f8612dd20adff7a872f1bba46afe3720d71315

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link pointing to ttraff.com, which is flagged as malicious. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, some hosted on Shopify. The document body contains a call-to-action phrase, suggesting a lure to trick the user into clicking the malicious link.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wb?keyword=instructor
- http://jakoder.warrantytitle.net/uploads/1/3/1/1/131163635/d1ac5f9e41.pdf
- http://files.urbanteatowntxk.com/uploads/1/3/1/3/131398141/sumaguxila_refibo_kanowona_gubadol.pdf
- http://files.kipandfriends.com/uploads/1/3/1/4/131409309/7adbf.pdf
- http://files.ksparkleandshine.com/uploads/1/3/1/3/131398591/febef.pdf
- http://kepomu.andweber.com/uploads/1/3/2/7/132741555/lamotasivaso.pdf
- https://cdn.shopify.com/s/files/1/0433/8063/7861/files/mijipisezomeligopa.pdf
- https://cdn.shopify.com/s/files/1/0434/6806/2872/files/nanorokoza.pdf
- https://cdn.shopify.com/s/files/1/0429/8945/3473/files/70787980348.pdf
- https://cdn.shopify.com/s/files/1/0435/1072/6815/files/99671016086.pdf
- https://cdn.shopify.com/s/files/1/0431/0591/0933/files/42941896882.pdf
- https://cdn.shopify.com/s/files/1/0430/0485/4426/files/xajijaduliruf.pdf
- https://cdn.shopify.com/s/files/1/0430/3929/3589/files/53610777101.pdf
- https://cdn.shopify.com/s/files/1/0432/5192/5155/files/87766021422.pdf
- https://cdn.shopify.com/s/files/1/0432/4586/3067/files/28320466168.pdf
- https://cdn.shopify.com/s/files/1/0430/6118/2617/files/22820258043.pdf
- https://cdn.shopify.com/s/files/1/0431/4352/8609/files/mivuzosolirebexewogewode.pdf
- https://cdn.shopify.com/s/files/1/0433/8286/6083/files/public_holiday_2020_malaysia.pdf
- https://cdn.shopify.com/s/files/1/0431/0378/1015/files/19085176289.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000080f6.bin` `be9f0eebbd68d8612ed381db353743b4fa525510206b36944ef65df383861192`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x80F6	5408 bytes
`font_01_sfnt_off0000934d.bin` `ffbea7bdca1b31fbd76b8a097ea16fc24a1f4d732a66c85239a1afad671cd31b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x934D	11484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.