PDF malware analysis — malicious · 40d1daff8e9f6914

MALICIOUS

PDF

49.7 KB Created: 2020-07-23 05:18:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 565449d4be896de281d28a462b9df328 SHA-1: 78a746077818fbd7b806bb34bae71ad66dfc9972 SHA-256: 40d1daff8e9f6914804829e98ff808356984e1893d538418f913ae03aef3a36b

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.ru, disguised as a SQL server installation guide. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms this, and the PDF_SEO_LINK_FARM heuristic indicates a large number of outbound links, likely for SEO manipulation to increase visibility. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create malicious PDFs.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=sql+server+2014+installation+step+by+step+pdf
- http://files.sgga.info/uploads/1/3/1/4/131406391/vanes.pdf
- http://files.northernettessynchro.org/uploads/1/3/1/3/131384173/garubiwavimosa.pdf
- http://files.cottondownsouth.com/uploads/1/3/1/4/131437593/68f5e82128.pdf
- http://files.yogapellcity.com/uploads/1/3/1/8/131856188/6f6d5c35a6f0.pdf
- http://files.townofspooner.com/uploads/1/3/2/8/132815785/bipawe.pdf
- https://cdn.shopify.com/s/files/1/0436/8711/6965/files/92305395869.pdf
- https://cdn.shopify.com/s/files/1/0430/2071/4137/files/ganatuxodabup.pdf
- https://cdn.shopify.com/s/files/1/0432/9163/9974/files/60914118904.pdf
- https://jefidibodojo.files.wordpress.com/2020/07/94710535065.pdf
- https://lebijipezafu366428007.files.wordpress.com/2020/07/38480917460.pdf
- https://jinaravu.files.wordpress.com/2020/07/84653345739.pdf
- https://cdn.shopify.com/s/files/1/0440/6345/7432/files/vuloroditokapakovibis.pdf
- https://cdn.shopify.com/s/files/1/0440/6696/3621/files/mogiloratasupol.pdf
- https://cdn.shopify.com/s/files/1/0432/7315/8821/files/64696602919.pdf
- https://cdn.shopify.com/s/files/1/0431/0191/3244/files/puzedulirolasixatudaju.pdf
- https://cdn.shopify.com/s/files/1/0432/6244/3683/files/mamobuxogepigekoxa.pdf
- https://cdn.shopify.com/s/files/1/0431/2812/7654/files/lolaw.pdf
- https://cdn.shopify.com/s/files/1/0433/5897/8207/files/5517300968.pdf
- https://cdn.shopify.com/s/files/1/0428/7689/5398/files/68633093578.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008105.bin` `abb59ef90a969e7cc8066519f9dc1ad2c5e87c43df28ab36962ee8062a90ef24`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8105	5768 bytes
`font_01_sfnt_off000094bb.bin` `6fe3f34d023af58842b00ad7d59650a6665fdd590bc1f7a6f97a4f9beb7c4b0f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x94BB	10896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.