PDF malware analysis — malicious · 426b12baa2e07235

MALICIOUS

PDF

65.8 KB Created: 2020-08-12 04:49:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 847e1cead665e2c9ab12d2a78382f036 SHA-1: b2e7cce8ca195bd070a26c0190e21681f0183e90 SHA-256: 426b12baa2e0723586f3e170ceb72ca6bed3b6c856b72ce2cf2c8956f1d05d4f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to appear as legitimate documents, but one of the primary links redirects to a known malicious infrastructure at ttraff.ru. This suggests a phishing or malware distribution attempt. The document body itself is heavily obfuscated and contains the malicious URL, further indicating its role in directing users to harmful content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=is+95+cdma+architecture+pdf
- http://files.ctk.net/uploads/1/3/1/4/131408899/ce54fb0.pdf
- http://files.artwalkstalbert.com/uploads/1/3/0/9/130969712/6451970.pdf
- http://files.robhightonart.com/uploads/1/3/1/4/131437017/6214203.pdf
- https://cdn.shopify.com/s/files/1/0434/8982/0836/files/lexical_meaning_murphy.pdf
- https://cdn.shopify.com/s/files/1/0437/5258/7415/files/86465948507.pdf
- https://cdn.shopify.com/s/files/1/0440/0077/2246/files/36077571609.pdf
- https://cdn.shopify.com/s/files/1/0432/4678/0566/files/58058377749.pdf
- https://cdn.shopify.com/s/files/1/0429/9912/0033/files/3069433643.pdf
- https://cdn.shopify.com/s/files/1/0428/2744/8476/files/bekozigo.pdf
- https://cdn.shopify.com/s/files/1/0433/8761/7447/files/gozinorasi.pdf
- https://cdn.shopify.com/s/files/1/0431/1947/6896/files/49649854493.pdf
- https://cdn.shopify.com/s/files/1/0434/1124/3164/files/58603771693.pdf
- https://cdn.shopify.com/s/files/1/0432/5166/3012/files/62246159925.pdf
- https://cdn.shopify.com/s/files/1/0429/8155/6375/files/lasuvumekakulezitiwabine.pdf
- https://cdn.shopify.com/s/files/1/0437/1811/5480/files/2015_toyota_corolla_manual.pdf
- https://cdn.shopify.com/s/files/1/0428/7728/8611/files/certificate_of_work_experience.pdf
- https://cdn.shopify.com/s/files/1/0433/7732/8278/files/discord_overlay_obs.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009fef.bin` `47545881093d22349e880aa418f3dfbb3d036cff1881907332ef7be843b1c4dd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9FEF	8048 bytes
`font_01_sfnt_off0000bb1f.bin` `151be7ce97b34b543dc48e0289b15488292df857bb4524508abb87b546e1dff2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBB1F	5580 bytes
`font_02_sfnt_off0000cdea.bin` `2c938b8db77da9c1a5ef98d5d911754907b5444855bc50e115944dedb1db227b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCDEA	13720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.