PDF malware analysis — malicious · 4fa4ce73131290a5

MALICIOUS

PDF

46.0 KB Created: 2020-08-01 21:32:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8e34b3551b686d358e95af5f1b66c6e7 SHA-1: 1eac388e5e022b14cdf2479621d012aecefdee82 SHA-256: 4fa4ce73131290a50aa59ca1179dd7f921f7852bdd6f62928ca2fb1fddd809cf

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to 'ttraff.ru', identified as a malicious redirector. The document body, though heavily obfuscated, contains the same URL, suggesting the primary intent is to redirect the user to a malicious site. No scripts were extracted, limiting the analysis of further payload delivery or persistence mechanisms.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=wolf+river+fishing+report
- http://files.reginastarkgallery.com/uploads/1/3/1/6/131636665/3609937.pdf
- http://files.reedsburgambulance.com/uploads/1/3/1/6/131606630/fe76bf2.pdf
- http://files.canisteowesleyanchurch.com/uploads/1/3/1/4/131453633/0d43fa.pdf
- http://files.prestigesupport.org/uploads/1/3/1/6/131606719/gepuwiwu.pdf
- http://files.bbluntsheabutter.shop/uploads/1/3/1/0/131071041/gorexezumudofejur.pdf
- http://files.bbluntsheabutter.shop/uploads/1/3/1/0/131071041/gorexezumud
- https://cdn.shopify.com/s/files/1/0437/8856/6677/files/76727939111.pdf
- https://cdn.shopify.com/s/files/1/0435/3448/3616/files/6931262135.pdf
- https://cdn.shopify.com/s/files/1/0428/9665/4489/files/vasazowotovesanavame.pdf
- https://cdn.shopify.com/s/files/1/0429/1824/8601/files/22711853864.pdf
- https://cdn.shopify.com/s/files/1/0437/3925/0853/files/46493467922.pdf
- https://cdn.shopify.com/s/files/1/0437/2935/4917/files/bemujunorapipivezubor.pdf
- https://cdn.shopify.com/s/files/1/0434/9139/3698/files/wopupumewaxavofag.pdf
- https://cdn.shopify.com/s/files/1/0438/3644/0726/files/saranolinibusifeziral.pdf
- https://cdn.shopify.com/s/files/1/0432/0716/4064/files/6272606762.pdf
- https://cdn.shopify.com/s/files/1/0428/8158/1209/files/wuvibiloladeta.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000066a0.bin` `f6b7ec419e8c6534a389d8efb7003b9c2e4e0bd98631fb11811c8e2440fb6922`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x66A0	4816 bytes
`font_01_sfnt_off0000770c.bin` `e06e89ed83139c4910911a8151e10f8a0a8b372136cf2d670be4b86f79641f15`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x770C	10988 bytes
`font_02_sfnt_off00009c80.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9C80	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.