PDF malware analysis — malicious · 4cf3385d6df84a20

MALICIOUS

PDF

43.8 KB Created: 2020-08-02 00:47:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 66affc06265d9c0eb94735341a6cd457 SHA-1: 4ade41d90660efd00faf0a453ce74a671fa994f8 SHA-256: 4cf3385d6df84a20b3f164a3240a99bac6bee1b41e765247bb256f0892afbd09

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded URLs, with a critical heuristic firing indicating a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to an address and the wkhtmltopdf tool, suggesting a lure. The primary malicious URL identified is https://ttraff.ru/pify?keyword=2830+merrywood+drive+sacramento+ca, which likely serves as a gateway to further malicious content. Another significant URL, https://cdn.shopify.com/s/files/1/0437/1342/9655/files/34301942090.pdf, is part of a link farm, potentially used to improve search engine ranking for malicious sites.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=2830+merrywood+drive+sacramento+ca
- http://files.obsessiongreenhouse.com/uploads/1/3/0/7/130775368/8217788.pdf
- http://files.barrow-lane.co.uk/uploads/1/3/0/8/130813489/08e3afdfb4ad1.pdf
- http://files.hannasophian.com/uploads/1/3/0/9/130969663/nugefekefifenu_bosen_rusotu.pdf
- http://files.northshorenightlife.com.au/uploads/1/3/1/4/131408017/4044636.pdf
- http://files.obs
- https://cdn.shopify.com/s/files/1/0437/1342/9655/files/34301942090.pdf
- https://cdn.shopify.com/s/files/1/0440/7122/3446/files/22893354126.pdf
- https://cdn.shopify.com/s/files/1/0429/7519/9391/files/1494218049.pdf
- https://cdn.shopify.com/s/files/1/0434/4355/2416/files/pezunotijaxegaj.pdf
- https://cdn.shopify.com/s/files/1/0435/3366/4408/files/74209400207.pdf
- https://cdn.shopify.com/s/files/1/0434/2389/1618/files/kikaxe.pdf
- https://cdn.shopify.com/s/files/1/0433/6995/5486/files/14110853857.pdf
- https://cdn.shopify.com/s/files/1/0434/4512/5281/files/dragon_bal_z_mugen.pdf
- https://cdn.shopify.com/s/files/1/0435/2193/3466/files/59341632500.pdf
- https://cdn.shopify.com/s/files/1/0429/8981/3909/files/wudugugusasamawixofu.pdf
- https://cdn.shopify.com/s/files/1/0434/6006/7480/files/bajanixafelafelu.pdf
- https://cdn.shopify.com/s/files/1/0433/6179/6248/files/26508253752.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006026.bin` `2ef3bec805669f66977e4c4a685640c9976ef9ccd9ae58aa49d026694d064dff`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6026	5844 bytes
`font_01_sfnt_off0000740b.bin` `1a916efdf0ec43b97e608507ba37a58ca41cac77c33e00957087db89b16e4a00`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x740B	14896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.