PDF malware analysis — malicious · 2d3c0f4f8e0bb224

MALICIOUS

PDF

61.6 KB Created: 2020-08-02 08:51:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 812508361e2d2e56bdc333e2db7844cf SHA-1: 6476c6b0734e8b30872040b19cfc1dc5db32a764 SHA-256: 2d3c0f4f8e0bb224938c83847b936668a2aa187a0e45532f7806d09b79798ac2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL identified is 'https://ttraff.ru/pify?keyword=wow+classic+small+flame+sac'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the intended destination. The presence of numerous other links, many hosted on Shopify, indicates a link farm strategy to obscure the malicious destination. No scripts were extracted, but the PDF structure and embedded links strongly suggest a redirection-based attack.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=wow+classic+small+flame+sac
- http://files.euroconferences.org/uploads/1/3/1/0/131070152/zefajazaxose-lanitazudop-miwabokegod-fotito.pdf
- http://files.fmjhchoir.com/uploads/1/3/1/6/131606818/4700902.pdf
- http://files.workinnvision.com/uploads/1/3/1/3/131384018/zudemesenodevakani.pdf
- http://files.cockburnarchitecture.co.uk/uploads/1/3/0/7/130775735/vovivupejodugozi.pdf
- http://files.mrkevinkimmel.com/uploads/1/3/0/8/130874588/saxalugijar-rebabiz-vadajes.pdf
- https://cdn.shopify.com/s/files/1/0432/7066/8453/files/repiwarufojizedo.pdf
- https://cdn.shopify.com/s/files/1/0433/8604/4570/files/65834627631.pdf
- https://cdn.shopify.com/s/files/1/0427/6033/9623/files/47027946744.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wopeg.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/46283819311.pdf
- https://cdn.shopify.com/s/files/1/0433/9440/0414/files/40735845594.pdf
- https://cdn.shopify.com/s/files/1/0431/1239/9009/files/7097520824.pdf
- https://cdn.shopify.com/s/files/1/0432/7673/0533/files/20950624102.pdf
- https://cdn.shopify.com/s/files/1/0429/2427/7923/files/jetiremasikijexefirome.pdf
- https://cdn.shopify.com/s/files/1/0436/1850/0765/files/kifagedatusikowuma.pdf
- https://cdn.shopify.com/s/files/1/0431/2144/2965/files/xowoxuvigabajitixeto.pdf
- https://cdn.shopify.com/s/files/1/0430/4899/2922/files/niwosibukure.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b4fa.bin` `efdb1c1927047dd964be28deddfc323fba1b0237fe9b84dfcfc8293960e8f45a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB4FA	5036 bytes
`font_01_sfnt_off0000c629.bin` `e44701ce6ac009a8ec5a271c68816279bff439a1e17090d98b069e06cd1f3ed0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC629	10316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.