PDF malware analysis — malicious · 2f813081c04ed358

MALICIOUS

PDF

44.0 KB Created: 2020-07-28 07:09:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 942a98cd8e14607fa2276232780cdbfe SHA-1: ea2f213902c338acd16cd89bc82552cf929befa8 SHA-256: 2f813081c04ed358039c740922e1329a4c86c28e5cfc8293a89c92003fded61d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a significant number of embedded links, a technique often used to redirect users to malicious websites or phishing pages. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK specifically flags a link to traff.ru, indicating malicious redirector infrastructure. Additionally, PDF_SEO_LINK_FARM indicates a mass external PDF link farm, with the primary example being a Shopify-hosted PDF. The document body is heavily obfuscated and contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=old+canada+food+guide+serving+sizes
- http://files.crimsonsoccer.us/uploads/1/3/1/8/131856195/dadumiwizavit_rovizojegor_gedupogunexuwo.pdf
- http://files.huronmarketing.com/uploads/1/3/0/9/130968963/047573f88.pdf
- http://files.mail.thespiritbutterfly.com/uploads/1/3/1/0/131071035/nuref.pdf
- http://files.afteredengallery.com/uploads/1/3/1/4/131453919/titina-biropiru-turonu.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/78046530146.pdf
- https://cdn.shopify.com/s/files/1/0432/1912/4382/files/65173494749.pdf
- https://cdn.shopify.com/s/files/1/0434/2838/0839/files/kodiboruvofimupamumawa.pdf
- https://cdn.shopify.com/s/files/1/0432/9340/9438/files/64365691559.pdf
- https://cdn.shopify.com/s/files/1/0434/6970/1280/files/21176200111.pdf
- https://cdn.shopify.com/s/files/1/0433/5511/1589/files/mitujalu.pdf
- https://cdn.shopify.com/s/files/1/0433/6871/0309/files/tuxezewazatozipoluwuk.pdf
- https://cdn.shopify.com/s/files/1/0434/2156/5078/files/sifazolezegasepotim.pdf
- https://cdn.shopify.com/s/files/1/0429/0379/7916/files/najobilevuko.pdf
- https://cdn.shopify.com/s/files/1/0431/0702/5056/files/67460698969.pdf
- https://cdn.shopify.com/s/files/1/0433/8896/0919/files/52902000244.pdf
- https://cdn.shopify.com/s/files/1/0440/3937/2965/files/26742037734.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006faa.bin` `92e7be0568e9d762c0356364b9f30776da7efe73c922e0b945313fca2cfa7c05`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6FAA	5128 bytes
`font_01_sfnt_off00008137.bin` `4e91c2ef17ccd6832beee27e928ae741a3175845f57e5f2f4b09cb3c46c788aa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8137	9880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.