PDF malware analysis — malicious · 22525df2d07fb1ae

MALICIOUS

PDF

43.5 KB Created: 2020-09-01 05:26:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 412f9f6e35c12a6c714abf761c49c9eb SHA-1: 1fd3181256e6df5dea2f4cf7ab2e2f59d9515cb6 SHA-256: 22525df2d07fb1aee4c4f103f0103f113b5bff550bda7f762dc4e2ac4594ee75

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with a primary malicious redirector URL disguised as a search result for 'Acronis true image iso 2019'. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms the malicious nature of the ttraff.ru URL. The document body, though heavily obfuscated, contains the same lure text and URLs, indicating a social engineering attempt to drive traffic to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=acronis+true+image+iso++2019
- https://static.usrfiles.com/ugd/e23fbb_04089d60127842b49968a3bd7aa3f77c.pdf
- https://static.usrfiles.com/ugd/8b49c6_3188b5c6fec64305966a3b8663bb844c.pdf
- https://static.usrfiles.com/ugd/2f8cea_86b4cf412fb543b6a51b3ee77e65abc2.pdf
- https://static.usrfiles.com/ugd/b8c837_3a4dc7d7c37c42408a98ecda436eeb3b.pdf
- https://static.usrfiles.com/ugd/8acad3_e6c285bf6fb744bc92a1a17a9734ba43.pdf
- https://static.usrfiles.com/ugd/c3548c_cf9a38b78176452899cdff750b237bc7.pdf
- https://static.usrfiles.com/ugd/b8c837_4f3c77502bd8481685a7886b86258d2a.pdf
- https://static.usrfiles.com/ugd/0a052f_79611df881854839b06124dcc8ca976d.pdf
- https://static.usrfiles.com/ugd/b47706_7391166c67f14ee7aebef8548870f164.pdf
- https://static.usrfiles.com/ugd/b8c837_6d050ceb6fe641dc9586d6407100f7a9.pdf
- https://static.usrfiles.com/ugd/b8c837_a2298079133140999817f0eb7840f75a.pdf
- https://static.usrfiles.com/ugd/739437_c5c27e777b35413d88527dde33362f2d.pdf
- https://static.usrfiles.com/ugd/2e4eb4_004836d8e59b41d7992c4308611a2905.pdf
- https://static.usrfiles.com/ugd/b8c837_45bbcf50317944e9922dec9d260c78bc.pdf
- https://static.usrfiles.com/ugd/b8c837_04ba36cb25b14989b3ddd3fe3d2cb6fb.pdf
- https://cdn.shopify.com/s/files/1/0436/7260/0729/files/pixebedofujalozedotukid.pdf
- https://cdn.shopify.com/s/files/1/0436/9265/4745/files/59529654345.pdf
- https://cdn.shopify.com/s/files/1/0431/1393/9101/files/gapijixemolutuvudo.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dijev.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006a15.bin` `c4d4d523b626dc37f970f0a023c5eacd889749b48b8c5d29b48cfba8b151fd70`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A15	5560 bytes
`font_01_sfnt_off00007ce9.bin` `a062ea4e2e67780b0b76d79c415dc4ca34bedc2ad300858cdfeb1f668431e8cf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7CE9	10732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.