PDF malware analysis — malicious · 402b37c4849ef213

MALICIOUS

PDF

47.2 KB Created: 2020-08-29 20:13:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7d7dd42ecf07de42b194cce0a71a5f11 SHA-1: 8e38c393d8bfba56692e47f15ee214b7bd0b4015 SHA-256: 402b37c4849ef213f872de5d1120c91152170fa367a31ddf09269a5cb7894fa3

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is disguised with a "cashback movie download" theme. This suggests a phishing or social engineering attack aimed at directing users to malicious content. The presence of a large number of external PDF links, many pointing to benign Shopify domains, indicates a potential SEO poisoning or link farm tactic to obscure the malicious redirector.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=cashback+movie+download+mp4
- https://static.usrfiles.com/ugd/b8c837_f0bbb218a3344a518b3ca18c344ff1bf.pdf
- https://static.usrfiles.com/ugd/b8c837_67e202df558441b9b48a5e8b9e5731da.pdf
- https://static.usrfiles.com/ugd/b8c837_a84e7df5727f4f7096af69625a29be4f.pdf
- https://static.usrfiles.com/ugd/b8c837_1a04c1735e534a769bc333a6f7d715d1.pdf
- https://static.usrfiles.com/ugd/b8c837_a55c3657c1c346ceb08a8fe36e0100b7.pdf
- https://cdn.shopify.com/s/files/1/0464/7528/0552/files/r_t_nagar_full_form.pdf
- https://cdn.shopify.com/s/files/1/0436/2820/0096/files/94333644813.pdf
- https://cdn.shopify.com/s/files/1/0433/2093/4558/files/altiplano_game_rules.pdf
- https://cdn.shopify.com/s/files/1/0437/6789/0069/files/academic_information_management_system_aims.pdf
- https://cdn.shopify.com/s/files/1/0448/1833/3858/files/literature_review_guide.pdf
- https://cdn.shopify.com/s/files/1/0433/7185/6026/files/understanding_video_games_the_essential_introduction.pdf
- https://cdn.shopify.com/s/files/1/0434/7055/3238/files/faditalu.pdf
- https://cdn.shopify.com/s/files/1/0429/7791/9129/files/dyson_dc07_parts_diagram.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000063a9.bin` `4be05d8b298214fa60cc9e2fb926b5f0d796ed98b209310e44735a6ed2c5da95`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x63A9	5568 bytes
`font_01_sfnt_off00007687.bin` `591cbbd38216d155d0d12ac7ea50698fa8bf3e2b6b0974e66f6ac82794d2848d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7687	10364 bytes
`font_02_sfnt_off00009a38.bin` `069f5cdcb972b33999f3dc18a3e5b847fc2aa024b7c5b45b4734cedf253a8e5c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9A38	16376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.