PDF malware analysis — malicious · 5897d6aaae72a043

MALICIOUS

PDF

43.5 KB Created: 2020-08-08 05:43:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3fe29775d0d99730e651eb206051554e SHA-1: 14e0f5c8c7123fb7af92c41656055283f78daf89 SHA-256: 5897d6aaae72a043747f5d6154fe6424e8da5246e492a3f0b7aa986c66f707f9

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a direct link to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'aptitude questions and answers for engineering students pdf free download', suggesting a lure for users seeking educational materials. The primary malicious link is https://ttraff.ru/pify?keyword=aptitude+questions+and+answers+for+engineering+students+pdf+free+download, which is likely used to redirect the user to further malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=aptitude+questions+and+answers+for+engineering+students+pdf+free+download
- http://files.casadeartegallery.com/uploads/1/3/2/7/132712306/mebofokixadedigo.pdf
- http://files.gatewaycathedral.com/uploads/1/3/1/0/131069869/7382438.pdf
- http://files.nwextremeoutfitters.com/uploads/1/3/0/7/130775668/c3b5e3f6b3ec541.pdf
- https://cdn.shopify.com/s/files/1/0436/2724/9826/files/military_college_jhelum_admission_form.pdf
- https://cdn.shopify.com/s/files/1/0430/8202/3061/files/35906918675.pdf
- https://cdn.shopify.com/s/files/1/0440/2744/5413/files/67521404574.pdf
- https://cdn.shopify.com/s/files/1/0428/3655/7987/files/george_bridgman_anatomy_book.pdf
- https://cdn.shopify.com/s/files/1/0435/2638/9912/files/82634931137.pdf
- https://cdn.shopify.com/s/files/1/0433/2906/1014/files/fumewedaxi.pdf
- https://cdn.shopify.com/s/files/1/0431/4424/9504/files/59608436282.pdf
- https://cdn.shopify.com/s/files/1/0433/1434/8197/files/14515910232.pdf
- https://cdn.shopify.com/s/files/1/0433/3993/9994/files/96277001823.pdf
- https://cdn.shopify.com/s/files/1/0431/9536/7585/files/lexupijadumasunimez.pdf
- https://cdn.shopify.com/s/files/1/0431/0673/0144/files/38902666429.pdf
- https://cdn.shopify.com/s/files/1/0431/2779/9969/files/83809392000.pdf
- https://cdn.shopify.com/s/files/1/0432/7673/0533/files/lovawedel.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005c28.bin` `b4714e17da1628fb4f639defa4b35491291b4962f84d33836ca466c7989f87c2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5C28	5296 bytes
`font_01_sfnt_off00006e3f.bin` `38ae92fe14a80d12019786664ee69bee117b2e5e2056792e9490f015fde61765`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6E3F	10476 bytes
`font_02_sfnt_off000091d1.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x91D1	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.