PDF malware analysis — malicious · 3f281f9f843d26c4

MALICIOUS

PDF

86.3 KB Created: 2020-08-09 03:11:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 089cd85cafe68bb6a800ad8866a825bd SHA-1: 4be2b1adc576ee15bfbdfe370c1ca506374fddbe SHA-256: 3f281f9f843d26c4ffb4bcec6e165d30d5e4f13ea37aff508cdbfe1f51458ab6

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm designed to generate SEO traffic, with one of the primary links directing to a known malicious redirector. The document body, though heavily obfuscated, contains text that, when combined with the heuristic firings, strongly suggests an advance-fee scam lure. The primary malicious URL identified is ttraff.ru, which is used in conjunction with a keyword that appears to be part of the scam's narrative.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=agamemnon+text+pdf
- http://xakeniwod.sarkakocicka.net/uploads/1/3/1/3/131378776/gigudaf.pdf
- http://files.deaconmichel.com/uploads/1/3/1/4/131411688/6292661.pdf
- http://files.tavernegoudenpunt.be/uploads/1/3/1/3/131379540/tenopilopeda.pdf
- http://files.summithilltopperfootball.com/uploads/1/3/1/4/131406736/9a3d8f4c0faf1.pdf
- https://cdn.shopify.com/s/files/1/0430/1104/7575/files/meiosis_1_and_meiosis_2_worksheet_answer_key.pdf
- https://cdn.shopify.com/s/files/1/0431/1007/2481/files/zunupim.pdf
- https://cdn.shopify.com/s/files/1/0433/0638/5573/files/75833185219.pdf
- https://cdn.shopify.com/s/files/1/0437/3174/6967/files/70416769521.pdf
- https://cdn.shopify.com/s/files/1/0431/0705/7825/files/essential_fallout_new_vegas_mods.pdf
- https://cdn.shopify.com/s/files/1/0431/0394/4858/files/classification_of_matter_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0429/8774/9525/files/webeluv.pdf
- https://cdn.shopify.com/s/files/1/0427/9785/8972/files/wawiweliwij.pdf
- https://cdn.shopify.com/s/files/1/0428/2672/7580/files/rakokitif.pdf
- https://cdn.shopify.com/s/files/1/0435/7767/1843/files/doginarufegedatosedemox.pdf
- https://cdn.shopify.com/s/files/1/0433/5199/8623/files/xogil.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00011943.bin` `77651cbf2ba00dc4ed0586bca626ff7866d6e7ec3a8f97b3a26777601393beee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11943	5112 bytes
`font_01_sfnt_off00012aaa.bin` `6cde8c14138dc11006cd6288aafecc510d07ff21c9839f9c415145e1e336e433`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12AAA	9892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.