PDF malware analysis — malicious · 3f299022da5466de

MALICIOUS

PDF

71.1 KB Created: 2020-08-18 22:22:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 549ded22040367196f211be1b99903c1 SHA-1: c762c119fa88c35f92d8785a463df948d664f36d SHA-256: 3f299022da5466de0c06e70a9ba3fe6412b032e7ce1ad5269355c7b3bf75de8e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, many of which point to a redirector service (ttraff.ru) that is known to host malicious content. The document body, though heavily obfuscated, contains keywords related to software downloads, suggesting a lure to trick users into clicking the malicious links. The presence of a link farm heuristic further supports the attack pattern of using numerous links to obscure the malicious destination.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=apache+open+office+f%25C3%25BCr+android
- http://files.votelogan53.com/uploads/1/3/2/7/132741476/jedafivejalam-gasope-sexinax.pdf
- http://files.boxerjkd.com/uploads/1/3/1/4/131453805/4133609.pdf
- http://files.pmuasia.com/uploads/1/3/0/8/130874213/dugosujurizurori.pdf
- https://cdn.shopify.com/s/files/1/0430/9037/8903/files/baxaruxepogevebojus.pdf
- https://cdn.shopify.com/s/files/1/0432/0854/0324/files/rambabu_audio_song.pdf
- https://cdn.shopify.com/s/files/1/0444/8750/8135/files/assignment_abroad_times_newspaper.pdf
- https://cdn.shopify.com/s/files/1/0432/7496/1059/files/14152350672.pdf
- https://cdn.shopify.com/s/files/1/0433/1172/6750/files/diranuxumaguvamuw.pdf
- https://cdn.shopify.com/s/files/1/0432/6011/7160/files/18394847746.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/9525543421.pdf
- https://cdn.shopify.com/s/files/1/0431/3631/9645/files/givulanowuditu.pdf
- https://cdn.shopify.com/s/files/1/0430/1189/9551/files/74998291523.pdf
- https://cdn.shopify.com/s/files/1/0441/1876/9816/files/44504677732.pdf
- https://cdn.shopify.com/s/files/1/0432/7142/2102/files/factoring_with_algebra_tiles_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0441/4645/8776/files/gafezuwa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c144.bin` `2220b06263d03938ca6d1d4137fd419f558ecb0aab51339ca12af141f96266f8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC144	4460 bytes
`font_01_sfnt_off0000d0f4.bin` `dd29f0f8560103dc34e54e301c36396b44d51c68fe29ffcaf450ae81e085f3bc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD0F4	5144 bytes
`font_02_sfnt_off0000e230.bin` `e0c5ae10749cbcb26b37d620724264cddc995fe84fd2cb46d7b1283cc18df622`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE230	13584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.