PDF malware analysis — malicious · 5313bc9c0537f127

MALICIOUS

PDF

42.8 KB Created: 2020-08-14 22:51:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 86de1a02140889c051560e3d152c93a7 SHA-1: 06a15b2d6c950af3b61b09d63a754a18b081982b SHA-256: 5313bc9c0537f127d8b4621f2df0ca8516287ca7d3c9866c845793472bd3a9a1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a link farm designed to manipulate search engine results. One prominent link directs to a known malicious redirector at 'ttraff.ru'. The document body, though partially corrupted, contains the text 'Finding missing sides and angles worksheet', suggesting a lure to disguise the malicious intent. No scripts were extracted, but the heuristic firings strongly indicate a phishing or redirection attack.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=finding+missing+sides+and+angles+worksheet
- http://files.hat.ag/uploads/1/3/1/3/131381675/mezibu.pdf
- http://mizozoz.myangerundercontrol.net/uploads/1/3/1/0/131070152/pudibisad.pdf
- http://files.eastmtnculture.com/uploads/1/3/0/9/130969826/6324334.pdf
- http://files.blueheronherbary.com/uploads/1/3/1/4/131408581/tewuligulawini.pdf
- http://gixofu.savingthosewhosaveus.com/uploads/1/3/1/6/131606490/bitopalexora-pusefexaxili.pdf
- https://cdn.shopify.com/s/files/1/0435/4103/7207/files/46402609938.pdf
- https://cdn.shopify.com/s/files/1/0440/9825/7048/files/mijewizaxodilatisaw.pdf
- https://cdn.shopify.com/s/files/1/0430/6465/6026/files/manual_de_opera.pdf
- https://cdn.shopify.com/s/files/1/0434/2064/7576/files/tigutol.pdf
- https://cdn.shopify.com/s/files/1/0435/9861/0589/files/gojifok.pdf
- https://cdn.shopify.com/s/files/1/0435/7675/4344/files/49135223027.pdf
- https://cdn.shopify.com/s/files/1/0436/6155/7913/files/xivusetaxujiv.pdf
- https://cdn.shopify.com/s/files/1/0431/3061/8011/files/19527840085.pdf
- https://cdn.shopify.com/s/files/1/0429/4203/8182/files/20593996830.pdf
- https://cdn.shopify.com/s/files/1/0433/8984/5671/files/52197179239.pdf
- https://cdn.shopify.com/s/files/1/0437/6762/7928/files/fuxomatuko.pdf
- https://cdn.shopify.com/s/files/1/0431/9795/6258/files/mivadofilofajarif.pdf
- https://cdn.shopify.com/s/files/1/0428/1538/9855/files/intermediate_accounting_15th_edition_study_guide.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000068d5.bin` `37d52b22f8dc07d31f83e74e8dc44797604002c7082e030a1b7db09783487f15`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x68D5	5352 bytes
`font_01_sfnt_off00007ae9.bin` `d703c443c688dcca076d2a1cd445ced26268fcfa44ca25376fb11649762e1129`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7AE9	10200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.