PDF malware analysis — malicious · 39fb819fe78a1508

MALICIOUS

PDF

33.7 KB Created: 2020-08-26 20:02:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a899db2dcfe33db8cd60ed25fc47b0bf SHA-1: 616b02cb533bf63955d3d468b4df353caa2ed593 SHA-256: 39fb819fe78a1508bca0da573ee6f050dbff93d909fcdcd2da9de4313b8e7c29

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=guide+to+networking+essentials+7th+edition'. Additionally, it exhibits characteristics of a PDF SEO link farm, with numerous embedded links, including one to 'https://cdn.shopify.com/s/files/1/0435/1829/6228/files/wavazona.pdf'. The document body also contains text suggesting a lure related to a networking guide, and a medium heuristic indicates a callback phishing or tech-support scam pattern. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=guide+to+networking+essentials+7th+edition
- http://files.1flyguru.com/uploads/1/3/1/4/131454012/vizavamuminin_kemasixi_meruwedivowiki_jitolevakizesoz.pdf
- http://files.ahgu.net/uploads/1/3/2/3/132303035/6713405.pdf
- https://cdn.shopify.com/s/files/1/0435/1829/6228/files/wavazona.pdf
- https://cdn.shopify.com/s/files/1/0451/1229/5589/files/40827871844.pdf
- https://cdn.shopify.com/s/files/1/0428/5690/6911/files/nikujavuduvuwiwemawofizo.pdf
- https://cdn.shopify.com/s/files/1/0435/5181/7883/files/xuxojuramupagepezapemasu.pdf
- https://cdn.shopify.com/s/files/1/0432/3953/8851/files/vanefejuforetud.pdf
- https://cdn.shopify.com/s/files/1/0454/7385/7686/files/star_spangled_banner_lyrics_printable.pdf
- https://cdn.shopify.com/s/files/1/0430/7864/7957/files/vype_epen_3_user_guide.pdf
- https://cdn.shopify.com/s/files/1/0431/1734/6976/files/vigew.pdf
- https://cdn.shopify.com/s/files/1/0430/3133/0969/files/19720676873.pdf
- https://cdn.shopify.com/s/files/1/0434/7097/9238/files/16569986396.pdf
- https://cdn.shopify.com/s/files/1/0431/5109/8007/files/import_illustrator_layers_into_after_effects.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004527.bin` `02e893d063412a1f7d84ab354d06f37251bbee7459eb3d879cf0437db5f69a46`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4527	5356 bytes
`font_01_sfnt_off00005771.bin` `505fb2b7a020c32ecc285cb6e62b8af9d9eae746899a2932c269c3c3e234c1a5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5771	10108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.