PDF malware analysis — malicious · 19df62da96a5f3ec

MALICIOUS

PDF

39.7 KB Created: 2020-08-22 09:28:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 717d444783ee8f987d311cb3bb7f893d SHA-1: 184fd969358c8a5089480721d5a62812de1523b7 SHA-256: 19df62da96a5f3ec97df6b97b041abca33d3e154d58bcc1e0674973cbc210661

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, identified as a link farm, with a primary URL pointing to a redirector. The document body and heuristics indicate an attempt to lure users to download an APK file. The primary malicious URL is https://ttraff.ru/pify?keyword=bounce+tales+free++apk, which likely serves as a gateway to further malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=bounce+tales+free++apk
- http://gigujul.metrolandrealtyph.com/uploads/1/3/0/8/130873826/voleko_semiga.pdf
- https://cdn.shopify.com/s/files/1/0429/9581/0455/files/gugafumi.pdf
- https://cdn.shopify.com/s/files/1/0432/3934/2248/files/mutuduwiwaxewon.pdf
- https://cdn.shopify.com/s/files/1/0428/1879/7724/files/43880583034.pdf
- https://cdn.shopify.com/s/files/1/0428/1086/7871/files/55616351694.pdf
- https://cdn.shopify.com/s/files/1/0431/0486/2375/files/99387915136.pdf
- https://cdn.shopify.com/s/files/1/0437/9007/4018/files/94666252945.pdf
- https://cdn.shopify.com/s/files/1/0433/0956/4064/files/harbor_freight_snow_blower.pdf
- https://cdn.shopify.com/s/files/1/0432/0267/4845/files/fizoliwetamilosupojowide.pdf
- https://cdn.shopify.com/s/files/1/0433/2794/6904/files/9568247250.pdf
- https://cdn.shopify.com/s/files/1/0430/9408/1687/files/meridian_555_manual.pdf
- https://cdn.shopify.com/s/files/1/0429/9502/4033/files/73417089220.pdf
- https://cdn.shopify.com/s/files/1/0431/7085/7122/files/kutirolorizekixok.pdf
- https://cdn.shopify.com/s/files/1/0440/9648/7576/files/saravezebavuwuxuzem.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000440d.bin` `0b93a199353ee869f47827d8f496dbe7479035262ea9977bfb00b1340ab84ef6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x440D	5124 bytes
`font_01_sfnt_off00005583.bin` `a14d3fa1c948313d4253e67d26fe91974edd29c88f0cef5c30fe75e0cd9515a4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5583	4392 bytes
`font_02_sfnt_off000065ff.bin` `103471b9a6aeb4da68a4a13c2af53bca896c04233d0ae8182a6825606eccf4c5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x65FF	14180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.