PDF malware analysis — malicious · 3da02b7f73285fa0

MALICIOUS

PDF

44.4 KB Created: 2020-08-29 08:38:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7f79c7b1bfb0a628f0b6f1958a61c9ed SHA-1: 248d0ad8cc1ac95322aaef33b81f278846466b86 SHA-256: 3da02b7f73285fa0c92d9ea59e8f72090f7a75b852b1a238f0f363b31e8160c0

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to Shopify and static.usrfiles.com, likely as part of an SEO link farm. One critical heuristic identified a link to a known malicious redirector at https://ttraff.ru/wix?keyword=st+johns+first+aid+manual+pdf. This suggests the document is designed to drive traffic to malicious infrastructure, potentially for further exploitation or phishing.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=st+johns+first+aid+manual+pdf
- https://cdn.shopify.com/s/files/1/0438/2579/1138/files/lidirobokeneruf.pdf
- https://cdn.shopify.com/s/files/1/0435/6649/7960/files/9796906952.pdf
- https://cdn.shopify.com/s/files/1/0440/8039/8486/files/41526305382.pdf
- https://cdn.shopify.com/s/files/1/0460/6728/6180/files/best_answer_to_what_motivates_you.pdf
- https://cdn.shopify.com/s/files/1/0436/8846/0441/files/1405963695.pdf
- https://static.usrfiles.com/ugd/b8c837_43cdedc5c9ef437aaec158e14bc2b1c2.pdf
- https://static.usrfiles.com/ugd/b8c837_eb6fca7f18444a6a859001c0166b6698.pdf
- https://static.usrfiles.com/ugd/b8c837_5c954b95b6f746faaf3d307c7670caea.pdf
- https://static.usrfiles.com/ugd/b8c837_7866946b93d54e1b8cc38ddc9c8c8b0d.pdf
- https://static.usrfiles.com/ugd/b8c837_55d3f6d278d84667b42ec3c2829b52a1.pdf
- https://static.usrfiles.com/ugd/b8c837_cbc3d507eb814d96ae8b29005642cbf6.pdf
- https://static.usrfiles.com/ugd/b8c837_bf40f4c26e664fb09c7741a6be1858b6.pdf
- https://static.usrfiles.com/ugd/b8c837_2c177b7d8d9e433b8513f640403fcce0.pdf
- https://static.usrfiles.com/ugd/b8c837_fb8832ae30a74c23af99b700dc1bf57d.pdf
- https://static.usrfiles.com/ugd/b8c837_dfb3f0fb8f694c62ba1aebb548656911.pdf
- https://static.usrfiles.com/ugd/b8c837_162a67d033f1448eafde8d7dda154477.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005ff0.bin` `0c0f7626fbf91aa7e496dc8470483931d0c366415b3ebc6a047730cad5559f17`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5FF0	5224 bytes
`font_01_sfnt_off00007173.bin` `ba7c0be64c88ab2b71d517974c398a90a893425656448cb31de590c321cca310`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7173	11100 bytes
`font_02_sfnt_off000096a0.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x96A0	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.