PDF malware analysis — malicious · 3c28d30b25fb564d

MALICIOUS

PDF

42.9 KB Created: 2020-08-30 00:42:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6cad717a4ebe1539885dbb8a9bf7b0e6 SHA-1: 67f1e4ab3c55ce6afbacd83977f88b196ff2bcf7 SHA-256: 3c28d30b25fb564d679aa0f73880f6bffa930fe43ae87676cc36ec79c2542376

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=new+covenant+umc'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on Shopify and static.usrfiles.com. The document body, though heavily obfuscated, contains the malicious URL and several benign-looking PDF links, suggesting a lure to a malicious site. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=new+covenant+umc
- https://cdn.shopify.com/s/files/1/0432/1063/7476/files/machine_gun_car_horn.pdf
- https://cdn.shopify.com/s/files/1/0428/6893/2767/files/49985610795.pdf
- https://cdn.shopify.com/s/files/1/0431/6318/9412/files/75441004276.pdf
- https://cdn.shopify.com/s/files/1/0429/9158/3391/files/discworld_collection.pdf
- https://cdn.shopify.com/s/files/1/0463/3195/3309/files/wels_salary_matrix.pdf
- https://static.usrfiles.com/ugd/b8c837_623562211cd74c198580d61541629065.pdf
- https://static.usrfiles.com/ugd/b56239_d01254eea9c346788ba6517dace5cf20.pdf
- https://static.usrfiles.com/ugd/913720_7ed9a13805d24484bd892a9308c1c145.pdf
- https://static.usrfiles.com/ugd/c1de29_f315d17940fd4dcd855d67a654e2b26c.pdf
- https://static.usrfiles.com/ugd/b8c837_4dcae3f53e624f2aa444ceba4c10c12f.pdf
- https://static.usrfiles.com/ugd/b8c837_0c7359982ed24ee2baf6faef56330ab3.pdf
- https://static.usrfiles.com/ugd/b8c837_972a347c37134841bd889e0d19d56688.pdf
- https://static.usrfiles.com/ugd/b8c837_79d18a12e5bf4706bb62bc5982b6810e.pdf
- https://static.usrfiles.com/ugd/e4ff69_55d0d03041bd45ddb24d9baf19b53515.pdf
- https://static.usrfiles.com/ugd/b8c837_8147e87ba11b4a05a5b9d75ba534a127.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005d4e.bin` `04bec03f0efdd6fc6dd92f8ff0dbb4993768c3838badc8f24b72501f9f6cdc4a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5D4E	4592 bytes
`font_01_sfnt_off00006ce3.bin` `881e67269001e5683abf7a4263b1bdc7d5c7eeb895004b65b10b829a19c6b6ad`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CE3	10532 bytes
`font_02_sfnt_off000090f7.bin` `7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x90F7	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.