PDF malware analysis — malicious · 4ea94b0e5ec6fb3d

MALICIOUS

PDF

39.2 KB Created: 2020-08-05 03:01:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 11e5fda7ab1c196c64593c5b2df9ddd6 SHA-1: c5b395637df068d5e6f9eba48e70ac83a91ec6bd SHA-256: 4ea94b0e5ec6fb3d069bb9bdf8d222bc11497d3b210250c790274ea37036cda3

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a download button, which is a common lure for phishing attacks. The PDF also functions as a link farm, directing users to numerous other PDFs, likely to obscure the malicious intent. The primary malicious URL identified is ttraff.ru, which redirects to a page related to 'past modals for possibility and probability exercises pdf'.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=past+modals+for+possibility+and+probability+exercises+pdf
- http://bodod.wonderfuljourneytravel.voyagerwebsites.com/uploads/1/3/2/6/132695278/wexabunofinop.pdf
- http://files.efhstsa.org/uploads/1/3/1/4/131406412/kekavug.pdf
- http://divikoki.jlizjewelrynmore.com/uploads/1/3/1/6/131637136/nixujideruv.pdf
- http://files.pirumanors.com/uploads/1/3/1/6/131637043/felow.pdf
- https://cdn.shopify.com/s/files/1/0435/1629/7368/files/xalutigilosewodij.pdf
- https://cdn.shopify.com/s/files/1/0429/6189/5587/files/36748276836.pdf
- https://cdn.shopify.com/s/files/1/0434/7972/8281/files/fozosumiv.pdf
- https://cdn.shopify.com/s/files/1/0433/1687/1333/files/lebomegatitibotuxorupi.pdf
- https://cdn.shopify.com/s/files/1/0435/3438/5303/files/pedazilupedidito.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vemuvuferakodumi.pdf
- https://cdn.shopify.com/s/files/1/0437/7391/9393/files/99117761030.pdf
- https://cdn.shopify.com/s/files/1/0431/8271/9136/files/5260131087.pdf
- https://cdn.shopify.com/s/files/1/0430/8713/4882/files/banksy_biografia.pdf
- https://cdn.shopify.com/s/files/1/0434/2897/0652/files/bafemora.pdf
- https://cdn.shopify.com/s/files/1/0439/0577/7832/files/nububojozejokogujebi.pdf
- https://cdn.shopify.com/s/files/1/0434/0776/9750/files/mulurar.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000059cd.bin` `0cc6cfb0d2aed3ac073519b786452e47d2dd558e249d88eff9c6e993c66e0304`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x59CD	5612 bytes
`font_01_sfnt_off00006cd6.bin` `2e7156995413728b93359405ce31ee4dfffe6c78ce686b514d494a79bfffca0d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CD6	10292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.