PDF malware analysis — malicious · 56ecd021d262a5fc

MALICIOUS

PDF

38.5 KB Created: 2020-08-19 21:04:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ea34f44a78a43190535f4b3818f7521c SHA-1: 288c59b3aa5305cf666735e8bf8d4a22b22fba4a SHA-256: 56ecd021d262a5fcf560cb2279052474cf0cf294579117dea8c64a08fa13b97c

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=emergency+reporting+software+cost'. It also exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on Shopify. The document body, though heavily obfuscated, contains fragments of the malicious URL and benign-looking PDF filenames, suggesting a lure to disguise the malicious intent. The primary attack pattern involves redirecting the user to a malicious site via a link presented with a sense of urgency.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=emergency+reporting+software+cost
- http://files.fycdepaper.com/uploads/1/3/1/4/131406391/0e835b0a.pdf
- https://cdn.shopify.com/s/files/1/0429/4384/0412/files/45874429000.pdf
- https://cdn.shopify.com/s/files/1/0432/7315/8821/files/liveboj.pdf
- https://cdn.shopify.com/s/files/1/0437/6605/5063/files/8294211528.pdf
- https://cdn.shopify.com/s/files/1/0441/0979/1384/files/apache_hive_books.pdf
- https://cdn.shopify.com/s/files/1/0431/2665/3090/files/21715761707.pdf
- https://cdn.shopify.com/s/files/1/0434/5469/3529/files/jekifudetogugidive.pdf
- https://cdn.shopify.com/s/files/1/0430/8644/6746/files/john_macionis_sociology_14th_edition.pdf
- https://cdn.shopify.com/s/files/1/0437/6897/1421/files/carnival_of_venice_alto_sax.pdf
- https://cdn.shopify.com/s/files/1/0433/0985/8969/files/balasubramaniam_hit_songs_free.pdf
- https://cdn.shopify.com/s/files/1/0433/7480/5148/files/youtube_video_converter_unblocked.pdf
- https://cdn.shopify.com/s/files/1/0428/0582/1599/files/zoragopuji.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/96989945255.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000058bd.bin` `2abf4fafda686894f5275f7cd74e92a6eb231ccaae486c2f9e7348fa1df5c19b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x58BD	5456 bytes
`font_01_sfnt_off00006b4b.bin` `da087c5b4e1d55779079ba7dfeba3c1eca9511eb0443ca3f987164604f299e24`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B4B	9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.