PDF malware analysis — malicious · 549351a6259fd744

MALICIOUS

PDF

42.5 KB Created: 2020-08-24 01:49:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 594711964151b49036f313071a1d2c80 SHA-1: 307db4d02ea3b6ad16f0928e7933daeec96d9612 SHA-256: 549351a6259fd744cd4564fd2ab521cee5a021bf0bca42843069da9cf6f1d65a

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a SE_INVOICE_LURE heuristic, indicating it is designed as a fake invoice or payment lure. It also fires a PDF_MALICIOUS_REDIRECTOR_LINK heuristic, pointing to the URL 'https://ttraff.ru/pify?keyword=microsoft+word+document+invoice+template', which is known to host malicious redirector infrastructure. Additionally, a PDF_SEO_LINK_FARM heuristic indicates a large number of external PDF links, with 'https://cdn.shopify.com/s/files/1/0431/0528/8352/files/rofupefijobojixekig.pdf' being the first identified. The document body, though heavily obfuscated, contains text related to invoice templates and URLs, reinforcing the lure tactic.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=microsoft+word+document+invoice+template
- http://jodaxiw.impulsivelust.com/uploads/1/3/0/8/130814187/dereruna-gesemikevuwo-nevoz-vonomarono.pdf
- https://cdn.shopify.com/s/files/1/0431/0528/8352/files/rofupefijobojixekig.pdf
- https://cdn.shopify.com/s/files/1/0429/8804/4447/files/35820071101.pdf
- https://cdn.shopify.com/s/files/1/0431/5381/7762/files/61602673604.pdf
- https://cdn.shopify.com/s/files/1/0429/4960/7590/files/initiation_coverage_report.pdf
- https://cdn.shopify.com/s/files/1/0434/0924/4317/files/35065451074.pdf
- https://cdn.shopify.com/s/files/1/0435/9805/3539/files/sheet_metal_gauge_conversion_chart.pdf
- https://cdn.shopify.com/s/files/1/0429/8424/3351/files/geponikijasa.pdf
- https://cdn.shopify.com/s/files/1/0451/8638/4023/files/lafexewawidikevol.pdf
- https://cdn.shopify.com/s/files/1/0437/7106/8577/files/diseo_de_un_elevador_de_cangilones.pdf
- https://cdn.shopify.com/s/files/1/0429/7064/4631/files/tewalubivemak.pdf
- https://cdn.shopify.com/s/files/1/0430/6056/0021/files/faturenukunefu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006823.bin` `b92ea1163ba78b73d7ab6184f8a22c613a3d8f0de9dc5eefece5f9ea91ce54c1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6823	5456 bytes
`font_01_sfnt_off00007ab1.bin` `f3502d2d5876770959cb8b266508dd3a418aa360ff382f861cfe26b268e0fd5c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7AB1	10168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.