PDF malware analysis — malicious · 37c01b392ff67106

MALICIOUS

PDF

38.9 KB Created: 2020-08-08 21:39:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9484e43c072d671cd97088483d5bbc7a SHA-1: 90ed65fdd3096fd2c40640fb630ba4f442838234 SHA-256: 37c01b392ff67106d631795721b0a0360d74b24ed4611fc2e84fb88e3ca2ed52

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.ru/wb?keyword=wonders%20reading%20writing%20workshop%20pdf`. This indicates a phishing or social engineering attempt to direct the user to malicious content. The document also contains a large number of embedded URLs, many of which are hosted on Shopify, suggesting a link farm or SEO poisoning tactic to obscure the malicious redirector. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wb?keyword=wonders%20reading%20writing%20workshop%20pdf
- http://tutizogu.susie-carter.com/uploads/1/3/1/0/131071157/zulela.pdf
- http://files.donsellmaninvite.com/uploads/1/3/0/7/130775393/97e92.pdf
- http://files.brockportmall.com/uploads/1/3/1/4/131437848/776474.pdf
- https://cdn.shopify.com/s/files/1/0432/3511/5175/files/80321635515.pdf
- https://cdn.shopify.com/s/files/1/0435/4385/5258/files/airport_city_manchester.pdf
- https://cdn.shopify.com/s/files/1/0431/4297/1553/files/vakagixexanedirufofepupex.pdf
- https://cdn.shopify.com/s/files/1/0430/4273/4237/files/64633149342.pdf
- https://cdn.shopify.com/s/files/1/0432/4681/3344/files/microbial_transformation_of_steroids.pdf
- https://cdn.shopify.com/s/files/1/0432/5507/0880/files/37420270905.pdf
- https://cdn.shopify.com/s/files/1/0432/9812/8036/files/22327595416.pdf
- https://cdn.shopify.com/s/files/1/0427/4031/8375/files/difibamegirexezamil.pdf
- https://cdn.shopify.com/s/files/1/0432/8220/2782/files/gutedolase.pdf
- https://cdn.shopify.com/s/files/1/0431/6371/3690/files/wudakegoxerosimelage.pdf
- https://cdn.shopify.com/s/files/1/0430/1006/4537/files/debesujuxe.pdf
- https://cdn.shopify.com/s/files/1/0428/3580/4319/files/79131548694.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004bf4.bin` `af5443fdb8d6d1c8a68f50c38ff7f58c4af386d0e845aab1800bd48611d4f525`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4BF4	5228 bytes
`font_01_sfnt_off00005dd2.bin` `4eeb48f3bc7acc753ce7014423ae953b8747d01b9bb4d2af2261e55f4b8462f6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5DD2	10196 bytes
`font_02_sfnt_off000080ab.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x80AB	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.