PDF malware analysis — malicious · 30194d05886e9f58

MALICIOUS

PDF

44.7 KB Created: 2020-08-10 00:46:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 861fd4af52718d640b1940a8b94df6b0 SHA-1: b2f5b1609eb26d5ca21ef7a8a58c18cdc05a3c91 SHA-256: 30194d05886e9f58f558cfc242e07d529b1ec551d2a3ff9700fdca6039b04baf

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1200 Hardware Add-in

The PDF file contains multiple embedded links, with one identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' indicates that the link at https://ttraff.ru/pify?keyword=amparo+directo+formato+pdf is associated with malicious infrastructure. The presence of a link farm further suggests an attempt to distribute malicious content or engage in SEO poisoning.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=amparo+directo+formato+pdf
- http://files.evolutionbeautyandwellness.com.au/uploads/1/3/1/3/131398497/zumana_junokez.pdf
- http://files.lwewrestling.com/uploads/1/3/2/3/132303286/fudetek.pdf
- http://files.stillwellsales.com/uploads/1/3/2/6/132682640/nozexevaxozevu.pdf
- http://files.secondsportswimming.com/uploads/1/3/1/3/131398117/wexidazo.pdf
- http://files.frostedfarmsnc.com/uploads/1/3/0/7/130776218/gironivud_vizemel_jupuzojifun_dugano.pdf
- https://cdn.shopify.com/s/files/1/0429/5337/5897/files/72030989508.pdf
- https://cdn.shopify.com/s/files/1/0437/8643/6759/files/buvarera.pdf
- https://cdn.shopify.com/s/files/1/0430/6285/3794/files/mubakemegekopatexebofufa.pdf
- https://cdn.shopify.com/s/files/1/0427/5470/3526/files/89827839074.pdf
- https://cdn.shopify.com/s/files/1/0436/1404/4323/files/twitch_how_to_change_stream_title.pdf
- https://cdn.shopify.com/s/files/1/0431/5817/5908/files/xubogupupamupure.pdf
- https://cdn.shopify.com/s/files/1/0432/5769/2320/files/75193387646.pdf
- https://cdn.shopify.com/s/files/1/0433/7251/1386/files/apprendre_la_langue_allemande_pour_debutant.pdf
- https://cdn.shopify.com/s/files/1/0429/9276/3039/files/rojigiw.pdf
- https://cdn.shopify.com/s/files/1/0435/9513/7187/files/blouse_design_images.pdf
- https://cdn.shopify.com/s/files/1/0428/0002/1667/files/fekupukibojoxafak.pdf
- https://cdn.shopify.com/s/files/1/0431/3012/6496/files/wemupirevazamubex.pdf
- https://cdn.shopify.com/s/files/1/0428/3580/4319/files/76794881116.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006936.bin` `e0007bb78132c403e89782a3b6687a0a7e3be1da702fbf09b804be14aef0ad14`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6936	5080 bytes
`font_01_sfnt_off00007a6a.bin` `88b140c664f30f41e427ddf67ceb32ec0e1dc3c17b1354cece2601d89469a5fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A6A	14396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.