PDF malware analysis — malicious · 229740a5f42995f1

MALICIOUS

PDF

36.4 KB Created: 2020-08-07 14:51:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5056d1d2a276e058bc93e1fea0078d7a SHA-1: 66126492cfa6dae0d6d31fcf36763a7dc97f4cf2 SHA-256: 229740a5f42995f1f05373bf5a1d85e6b6d309e0ce641b03140c90775df10614

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document contains a high number of embedded links, many of which point to external resources. One critical heuristic firing indicates a direct link to known malicious redirector infrastructure at `https://ttraff.ru/pify?keyword=chevelle+assembly+manual+pdf`. This suggests the document is designed to trick users into visiting malicious sites by disguising the link as a useful resource. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=chevelle+assembly+manual+pdf
- http://files.ladymaeimpressions.com/uploads/1/3/1/3/131379434/ba398.pdf
- http://files.foreverlawngeorgia.com/uploads/1/3/1/3/131383247/fijelotakitoduzenor.pdf
- http://files.meraglimholdings.com/uploads/1/3/2/6/132696512/d9ca60d29e2.pdf
- http://files.artofjfr.com/uploads/1/3/2/6/132696174/terizi-fofabafifedobi-toxet-vevole.pdf
- https://cdn.shopify.com/s/files/1/0435/2973/2248/files/bhagavad_gita_download_in_bengali.pdf
- https://cdn.shopify.com/s/files/1/0430/8477/5578/files/givipakuvir.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dijupabexapuvasazanuripik.pdf
- https://cdn.shopify.com/s/files/1/0431/2439/2087/files/bobcad_tutorial.pdf
- https://cdn.shopify.com/s/files/1/0430/5145/0519/files/diccionario_psicologia_ingles_espaol.pdf
- https://cdn.shopify.com/s/files/1/0438/1740/2530/files/86641679983.pdf
- https://cdn.shopify.com/s/files/1/0437/5520/8865/files/70126433885.pdf
- https://cdn.shopify.com/s/files/1/0431/2625/9876/files/wulozopanugo.pdf
- https://cdn.shopify.com/s/files/1/0428/9606/4671/files/xerolerofomamem.pdf
- https://cdn.shopify.com/s/files/1/0433/5245/7369/files/34299588281.pdf
- https://cdn.shopify.com/s/files/1/0431/6535/2102/files/vertical_farming_philippines.pdf
- https://cdn.shopify.com/s/files/1/0431/6299/2795/files/wwe_raw_11_9_15.pdf
- https://cdn.shopify.com/s/files/1/0433/5026/1911/files/vigepekimurut.pdf
- https://cdn.shopify.com/s/files/1/0437/1313/4757/files/xipip.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004fa7.bin` `011bc71f36794ed14a46a07b4855c61497d6ea775eab417ef9a09071cda4af14`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4FA7	5392 bytes
`font_01_sfnt_off000061df.bin` `24ab176cc26523833df1321565e3e8c95427c9717deae1250195f328ec0da6d3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x61DF	10232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.