PDF malware analysis — malicious · 1a20b9e8bf57b270

MALICIOUS

PDF

37.0 KB Created: 2020-08-31 23:45:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8b6c8df4f6d8b9150aec616c23764f58 SHA-1: bbfc471c400e2b95ee24b726f0532e4f9ab3f02b SHA-256: 1a20b9e8bf57b270f7fa4900309938a3985025dcc7ae8b0545a9a7451e3195b7

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=practice+with+colons+and+semicolons+worksheet'. It also exhibits characteristics of a PDF link farm, with numerous embedded links to external PDFs. The document body, though heavily obfuscated, contains the same malicious URL and appears to be a lure for a worksheet, likely intended to trick users into clicking the malicious link. The presence of a visual download button heuristic further supports this phishing pretext.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=practice+with+colons+and+semicolons+worksheet
- https://static.usrfiles.com/ugd/b8c837_632dc816256b42d1bbeacd3c617a18c7.pdf
- https://static.usrfiles.com/ugd/f3ecbe_cf73c4eb0763481c9db7d8bd68543c1a.pdf
- https://static.usrfiles.com/ugd/8b2c09_744795179ebb4e8ab10b75f21ff5d8a2.pdf
- https://static.usrfiles.com/ugd/269bb8_a619f9e119d742a39a885e743f32efc1.pdf
- https://static.usrfiles.com/ugd/b8c837_1d08ac3d725a4921b691155fbd84b27f.pdf
- https://static.usrfiles.com/ugd/b8c837_0c019b9e74c742288d9546c192187095.pdf
- https://static.usrfiles.com/ugd/9d66c7_32c84cc3feff4e7ca41c86c1990736d1.pdf
- https://static.usrfiles.com/ugd/c4ccc4_c740cea7b97f492bb9dd68ffe708af35.pdf
- https://static.usrfiles.com/ugd/b8c837_5d26706714284b4f9fb624b41232f538.pdf
- https://static.usrfiles.com/ugd/3bcfef_b9aae7713c034f2ab12273805951f7e5.pdf
- https://cdn.shopify.com/s/files/1/0429/0091/4343/files/hot_wire_anemometer_thermal_method.pdf
- https://cdn.shopify.com/s/files/1/0432/0778/6657/files/jobejibajo.pdf
- https://cdn.shopify.com/s/files/1/0429/0877/8663/files/cheam_park_farm_primary_uniform.pdf
- https://cdn.shopify.com/s/files/1/0428/9485/2252/files/3598865852.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000051fa.bin` `3d3cf0522c98a71aac25e8aaf771e46181965731e3b74b51c1841c2c62f06480`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x51FA	5336 bytes
`font_01_sfnt_off000063ff.bin` `95f20bd7770a52058901f62629eff6bae4fc5fa3beb1ba4e7532f4a2abf18b9e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x63FF	10240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.