PDF malware analysis — malicious · 58db78ab889ea25a

MALICIOUS

PDF

37.5 KB Created: 2020-08-30 06:09:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 828b815f1a408b6a10cee8632e44852b SHA-1: 925dd7001f7cb1c6c9be3f6ae22db313745a9e0a SHA-256: 58db78ab889ea25a6b966dd605c72bb881d3688c7d2d7ad47a793be8b7bbfc14

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.ru/wix?keyword=colt+ar+15+instruction+manual`. This URL is presented within the document body, disguised as a manual, to entice users to click it. The file also exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on Shopify. The primary malicious URL is the most significant IOC.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=colt+ar+15+instruction+manual
- https://cdn.shopify.com/s/files/1/0434/7772/9430/files/nijafujer.pdf
- https://cdn.shopify.com/s/files/1/0430/4463/4773/files/hartmann_group_annual_report_2017.pdf
- https://cdn.shopify.com/s/files/1/0434/1107/9317/files/agricultural_science_textbook_grade_12_download.pdf
- https://cdn.shopify.com/s/files/1/0429/9502/4025/files/kawimazejalapoz.pdf
- https://cdn.shopify.com/s/files/1/0435/3107/5743/files/68286605963.pdf
- https://cdn.shopify.com/s/files/1/0434/9889/7574/files/handwriting_sheets.pdf
- https://cdn.shopify.com/s/files/1/0433/9639/9269/files/medical_tourism_articles.pdf
- https://cdn.shopify.com/s/files/1/0435/8874/7423/files/wow_sinestra_solo.pdf
- https://cdn.shopify.com/s/files/1/0447/6072/7703/files/axis_mutual_fund_nomination_form.pdf
- https://cdn.shopify.com/s/files/1/0432/1715/8312/files/vezekewijilesa.pdf
- https://cdn.shopify.com/s/files/1/0434/2461/2509/files/madden_15_strategy_guide.pdf
- https://cdn.shopify.com/s/files/1/0431/7223/3380/files/rapolerojo.pdf
- https://cdn.shopify.com/s/files/1/0437/8748/5342/files/simeter.pdf
- https://static.usrfiles.com/ugd/77eba6_8486945b75e94d7fb59d025654ac3cc9.pdf
- https://static.usrfiles.com/ugd/0f5b72_1b40afc6cbe14f2091a96b55234ca472.pdf
- https://static.usrfiles.com/ugd/5bb01c_5766a4f0e1e54944b8da514533ec233d.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004a36.bin` `e1fa153109c7f87a80d5fc8e625c3cf9f2767632da85ee4ca5713626cba0bd12`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4A36	4908 bytes
`font_01_sfnt_off00005acd.bin` `cd06a73d8788d4468defb0bfb433e04f9a2d77b5d2f85b31b939bfdc6f48a268`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5ACD	9428 bytes
`font_02_sfnt_off00007b16.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B16	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.