PDF malware analysis — malicious · 50ac034fa572431e

MALICIOUS

PDF

36.9 KB Created: 2020-08-22 23:40:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8333f5266bce74fc9f0dc96ce0e9c3e8 SHA-1: aa0fb864b4d22c7bd13f9315d6b2649e70884a3c SHA-256: 50ac034fa572431eac8e86a34ed8417816c494082841bf59f7501b4cad1f4f35

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=lego+batman+game+psp'. The document body, though heavily obfuscated, also contains this URL and numerous other links hosted on shopify.com, suggesting a link farm or redirection strategy. The primary intent appears to be directing users to malicious infrastructure under the guise of a game download.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=lego+batman+game+psp
- http://files.nicoleangelique.com/uploads/1/3/0/9/130969818/bb5686.pdf
- http://toxokek.globalgiftstravel.com/uploads/1/3/2/7/132740649/majebijesebat-xelupipujik-tebobafad.pdf
- http://files.thegreatpumpkinproject.com/uploads/1/3/0/9/130970015/dudufixupisovexurif.pdf
- https://cdn.shopify.com/s/files/1/0431/1053/1238/files/29892106396.pdf
- https://cdn.shopify.com/s/files/1/0431/3225/6407/files/webetiwumumasipar.pdf
- https://cdn.shopify.com/s/files/1/0433/3617/1688/files/craftsman_lt1000_starter.pdf
- https://cdn.shopify.com/s/files/1/0436/0755/6258/files/17321601765.pdf
- https://cdn.shopify.com/s/files/1/0434/0878/5565/files/ignou_admit_card_june_2020_availability_format.pdf
- https://cdn.shopify.com/s/files/1/0433/1700/2405/files/pewenewarop.pdf
- https://cdn.shopify.com/s/files/1/0431/0476/4068/files/my_chemical_romance_albums_zip.pdf
- https://cdn.shopify.com/s/files/1/0433/8984/5671/files/export_file_cdr_to.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/20136550696.pdf
- https://cdn.shopify.com/s/files/1/0439/0780/9448/files/78195603161.pdf
- https://cdn.shopify.com/s/files/1/0431/7813/1611/files/jividelajororaturadexuko.pdf
- https://cdn.shopify.com/s/files/1/0429/5429/3402/files/juvutubaminuxezunix.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000468d.bin` `4d2cebf00081b10b3dc0630f0d4abc728d966547f0651568617098f4b446b429`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x468D	4832 bytes
`font_01_sfnt_off000056dd.bin` `ab0de43e2489d055be6164f89db18d3f940abcb7376a58e3f11c8a8828d39ecd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x56DD	9980 bytes
`font_02_sfnt_off000078d7.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78D7	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.