PDF malware analysis — malicious · 5211edc83d1b57bd

MALICIOUS

PDF

52.2 KB Created: 2020-07-22 11:45:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 43fabd5c804796509ae3db8238a05ca7 SHA-1: f7a12a9506bdb617cc32f5b31b19b207f7902baa SHA-256: 5211edc83d1b57bd597d2255515ac1bcc3f8da06887252ae85556e221b25eac8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains multiple embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, appears to be related to a workstation datasheet, suggesting a lure to trick users into clicking the malicious link. The primary malicious IOC is the ttraff.ru URL, which is confirmed to redirect to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wb?keyword=hp%20z840%20workstation%20datasheet%20pdf
- http://files.aloenottingham.com/uploads/1/3/1/6/131637168/murulalirovotefexise.pdf
- http://files.millbrookrotarydirectory.com/uploads/1/3/0/7/130775846/d99ea.pdf
- http://files.chillnbeans.com/uploads/1/3/1/1/131164152/tirowujuja.pdf
- http://files.sprocket-theatre.com/uploads/1/3/1/4/131482944/89b084f.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zemeletitofugawekabol.pdf
- https://cdn.shopify.com/s/files/1/0431/2019/7789/files/jumixawugixulemunuwixigo.pdf
- https://cdn.shopify.com/s/files/1/0438/3506/4480/files/53813497287.pdf
- https://pemifuxo.files.wordpress.com/2020/07/razonerine.pdf
- https://puponiwil.files.wordpress.com/2020/06/zububatadubosuw.pdf
- https://nubudin.files.wordpress.com/2020/06/tiruwumudadiretujurew.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/78539107281.pdf
- https://cdn.shopify.com/s/files/1/0432/9105/0137/files/pulemewupewiw.pdf
- https://cdn.shopify.com/s/files/1/0432/7574/7484/files/biwikezodokoxiriruk.pdf
- https://cdn.shopify.com/s/files/1/0437/2670/0696/files/tolarijosiwavuzudum.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/74098669839.pdf
- https://cdn.shopify.com/s/files/1/0429/7005/4805/files/waguxebuzepajuvigudepet.pdf
- https://cdn.shopify.com/s/files/1/0431/8828/9694/files/bimetivos.pdf
- https://cdn.shopify.com/s/files/1/0434/4492/8674/files/xogovuvoveponixo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://pemifuxo.files.wordpress.com/2020/07

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008165.bin` `47a06eca46ba75bf279ac87aba119511cd147f911514b99f4de11bcb0feb705d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8165	5476 bytes
`font_01_sfnt_off0000940d.bin` `94bf16a5341bb426d2c8abd1b95ee5bda63332c056ee9dd7274a98af7fe9de55`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x940D	15080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.