PDF malware analysis — malicious · 4ba99e43f59444ba

MALICIOUS

PDF

44.1 KB Created: 2020-08-31 19:39:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4f2f23e4d4d68e3a8a40cab3a9a1fcd3 SHA-1: 1bc5fe72c2d1301aa148eb9a3b39d29e8c9178a7 SHA-256: 4ba99e43f59444baf5bee4a40c57f8a3ccfa073d54d28aae64cf3a734369cf39

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. Additionally, PDF_SEO_LINK_FARM indicates a large number of external links, many hosted on Shopify, suggesting an attempt to manipulate search results or distribute content. The primary malicious URL identified is https://ttraff.ru/pify?keyword=kubernetes+jenkins+slave+pod+template, which is likely used for phishing or malware delivery. The document body contains garbled text but also includes the malicious URL and several benign-looking Shopify URLs.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=kubernetes+jenkins+slave+pod+template
- https://cdn.shopify.com/s/files/1/0440/7833/4117/files/57063432550.pdf
- https://cdn.shopify.com/s/files/1/0436/0860/4829/files/wujigi.pdf
- https://cdn.shopify.com/s/files/1/0437/7539/3944/files/7th_grade_math_book_common_core.pdf
- https://cdn.shopify.com/s/files/1/0436/3078/8758/files/overlay_plugin_ffxiv.pdf
- https://cdn.shopify.com/s/files/1/0436/8554/4089/files/botany_notes_class_11.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lekutaxawiwasutoxojopelor.pdf
- https://cdn.shopify.com/s/files/1/0436/3033/0019/files/fundamentals_of_management_robbins_8th_edition.pdf
- https://cdn.shopify.com/s/files/1/0427/7728/0671/files/puxarifoxupuduviwip.pdf
- https://cdn.shopify.com/s/files/1/0466/5321/0789/files/12181619499.pdf
- https://cdn.shopify.com/s/files/1/0440/6909/3541/files/selubalamaxajal.pdf
- https://cdn.shopify.com/s/files/1/0427/6515/6508/files/88370411739.pdf
- https://cdn.shopify.com/s/files/1/0435/4444/5092/files/lafixutulipulid.pdf
- https://cdn.shopify.com/s/files/1/0430/8877/3269/files/3016809048.pdf
- https://cdn.shopify.com/s/files/1/0433/7870/4536/files/sociologia_da_educao_alberto_tosi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000606e.bin` `f6ec1f15c6981fd7d6282c92a842ba0ac81f28b042bc57d7afa1ef9e4e51cf54`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x606E	5296 bytes
`font_01_sfnt_off00007255.bin` `ed75cd33bc1eb85376cb92fdd1666d5b0871c52ee701b7f2ae1366dc9b4cc2ee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7255	10204 bytes
`font_02_sfnt_off0000955b.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x955B	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.