PDF malware analysis — malicious · 36deab6bec727b53

MALICIOUS

PDF

54.2 KB Created: 2020-08-04 05:46:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 44a11e7289393596d8335ce3eab52bd4 SHA-1: a2f1fb52173dde5b5d3008a87eeffd9f4934d179 SHA-256: 36deab6bec727b530146f8fc50a800acbd5c4e67df323784ff3cc9214e886295

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document exploits SEO techniques by embedding a large number of links, including a critical redirector link to 'ttraff.ru'. This link is designed to lure users into downloading potentially malicious content under the guise of 'aws sysops exam dumps pdf free download'. The document body, though heavily obfuscated, contains the target URL, confirming the malicious intent. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=aws+sysops+exam+dumps+pdf+free+download
- http://files.wskvfm.com/uploads/1/3/1/3/131379042/abd67.pdf
- http://files.upsideartgallery.com/uploads/1/3/0/7/130739234/3051142.pdf
- http://files.firstfridaysoakpark.com/uploads/1/3/1/4/131406491/c8ee424b325f21.pdf
- http://files.offthegrid24.com/uploads/1/3/2/7/132712358/fokebujegitepopives.pdf
- https://cdn.shopify.com/s/files/1/0434/0698/3318/files/blast_protection_minecraft.pdf
- https://cdn.shopify.com/s/files/1/0429/9702/2879/files/324396245.pdf
- https://cdn.shopify.com/s/files/1/0429/6966/1589/files/53975254714.pdf
- https://cdn.shopify.com/s/files/1/0428/0107/0247/files/52862971874.pdf
- https://cdn.shopify.com/s/files/1/0432/4245/5195/files/baywatch_hawai_cast.pdf
- https://cdn.shopify.com/s/files/1/0434/5059/7528/files/40548539565.pdf
- https://cdn.shopify.com/s/files/1/0433/3754/7929/files/kivegujeniw.pdf
- https://cdn.shopify.com/s/files/1/0438/9027/8568/files/44317923386.pdf
- https://cdn.shopify.com/s/files/1/0434/2684/0737/files/34747607384.pdf
- https://cdn.shopify.com/s/files/1/0439/5335/6955/files/8764554385.pdf
- https://cdn.shopify.com/s/files/1/0433/5442/3445/files/kojarupifokeled.pdf
- https://cdn.shopify.com/s/files/1/0432/5661/0976/files/63729293842.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0434/0698/3318/files/blast

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008023.bin` `2bf6359d915cc73154ba4c4dd78be59df2defead485e7c0c838ac70a6579837f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8023	5192 bytes
`font_01_sfnt_off000091c3.bin` `0e89e490762fa60e8801fbf7434b1531f28c58a2f8db47945e0ca6234529da91`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x91C3	13968 bytes
`font_02_sfnt_off0000bd69.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBD69	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.