PDF malware analysis — malicious · 7ac61ceabef5ae88

MALICIOUS

PDF

47.1 KB Created: 2020-08-19 20:49:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: cb36e4e410c08622b0e30364d3868c3c SHA-1: 1323f1a9e0d61bf90e4d826fd9d20bcbbdd09d3d SHA-256: 7ac61ceabef5ae887a09db59bb435db29fd58ba58a52dce15da01beebc24fd1f

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. It also exhibits characteristics of a PDF link farm, with numerous links hosted on Shopify. The document body, though heavily obfuscated, contains a URL that appears to be a lure for a game download. The presence of a password-protected archive lure suggests an attempt to bypass gateway security. The primary attack vector is a malicious link designed to redirect users to harmful content.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=battle+realms+3++full+free
- http://files.valleytems.org/uploads/1/3/0/7/130776312/favumifu.pdf
- http://files.adobeforfashion.net/uploads/1/3/2/6/132695919/1d5642acef07444.pdf
- http://vamanoret.jilliandavid.net/uploads/1/3/1/4/131483378/4151268.pdf
- http://vamanoret.jilliandavid.net/uploads/1
- https://cdn.shopify.com/s/files/1/0429/6186/2810/files/69402322525.pdf
- https://cdn.shopify.com/s/files/1/0431/3926/8774/files/79451305561.pdf
- https://cdn.shopify.com/s/files/1/0431/4421/6727/files/74079224054.pdf
- https://cdn.shopify.com/s/files/1/0437/7998/1470/files/77714460424.pdf
- https://cdn.shopify.com/s/files/1/0434/0934/2621/files/20534641175.pdf
- https://cdn.shopify.com/s/files/1/0440/2397/2005/files/bafufesarinari.pdf
- https://cdn.shopify.com/s/files/1/0427/5827/5238/files/xatepuze.pdf
- https://cdn.shopify.com/s/files/1/0432/7407/6315/files/little_alchemy_cheat_sheet.pdf
- https://cdn.shopify.com/s/files/1/0451/2271/5801/files/wovatebodilegef.pdf
- https://cdn.shopify.com/s/files/1/0435/6079/6318/files/spinal_anesthesia_procedure.pdf
- https://cdn.shopify.com/s/files/1/0437/8981/1861/files/51183203957.pdf
- https://cdn.shopify.com/s/files/1/0430/6888/3106/files/rodoxi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007b38.bin` `684193d1e3c05df5731f6538fcb4614500b518e648938b133e68acdacb28885e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B38	5124 bytes
`font_01_sfnt_off00008c8d.bin` `6f6a31de7b781c5c3d6b47269ac6db15f4adaf71a408af75e7343667d469717c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8C8D	10144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.