PDF malware analysis — malicious · 1e1132d171274c64

MALICIOUS

PDF

46.2 KB Created: 2020-08-06 22:50:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7faab4c61c977a893228fb73dc5103e3 SHA-1: 22025022f1b74e71806bdaab9a59a43a9d38118e SHA-256: 1e1132d171274c640486f3c641aa5f1fe2d3f1454863b7263f36997aa2709838

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic identifying a link to a known malicious redirector infrastructure. The document body, though partially corrupted, contains the URL 'https://ttraff.ru/pify?keyword=plantilla+de+diagrama+bimanual+pdf' which is flagged as malicious. This suggests the document's primary purpose is to redirect users to malicious content, likely for phishing or malware distribution.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=plantilla+de+diagrama+bimanual+pdf
- http://files.number25deli.co.uk/uploads/1/3/2/6/132680822/fbffef669020.pdf
- http://files.kentcrusaders.com/uploads/1/3/2/6/132681443/dilonorixesito.pdf
- http://febovuku.highpeaksedteam.org/uploads/1/3/2/8/132816036/vasutiraxire.pdf
- https://cdn.shopify.com/s/files/1/0430/2805/4169/files/99998149827.pdf
- https://cdn.shopify.com/s/files/1/0429/2476/9436/files/84457712612.pdf
- https://cdn.shopify.com/s/files/1/0439/3133/6859/files/urban_sprawl_definition.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/81603963226.pdf
- https://cdn.shopify.com/s/files/1/0434/5266/1912/files/roregonelovede.pdf
- https://cdn.shopify.com/s/files/1/0431/5290/0250/files/8281703955.pdf
- https://cdn.shopify.com/s/files/1/0438/1540/3682/files/94188060643.pdf
- https://cdn.shopify.com/s/files/1/0437/8761/6413/files/beading_tutorials.pdf
- https://cdn.shopify.com/s/files/1/0440/1466/5886/files/wobofasewo.pdf
- https://cdn.shopify.com/s/files/1/0433/8004/8023/files/bozinuvugaj.pdf
- https://cdn.shopify.com/s/files/1/0432/8390/6724/files/56976215229.pdf
- https://cdn.shopify.com/s/files/1/0434/5652/8544/files/nifowavix.pdf
- https://cdn.shopify.com/s/files/1/0437/9390/7869/files/30849823398.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000060bf.bin` `824e8e18d321ee655672bd9988e4e5188b3f0c7dbf654d742a1cc38bc92a8f8b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x60BF	5324 bytes
`font_01_sfnt_off000072c3.bin` `d46b9c90bc78512cb4291ad6a1112097af640f2978703fa36a6e78d9faa1e26c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x72C3	11004 bytes
`font_02_sfnt_off000096bf.bin` `dbf142a5ee5912dba0d06f749c68ada68fc433a58d5d71ae416dbac8ced49b19`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x96BF	16080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.