PDF malware analysis — malicious · 80fdceb1f3d4a70b

MALICIOUS

PDF

46.6 KB Created: 2020-09-01 02:05:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 832161c406ca82b1121ef31f9b6607a9 SHA-1: c3f18a3accf3d8128844db7e1fe92edf9ce489b4 SHA-256: 80fdceb1f3d4a70bf49f60b2bd6b860ade337317e8e5b04a1ae7b2f73040bd72

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to Shopify domains, but one critical link directs to a known malicious redirector at 'ttraff.ru'. This suggests a link farm or SEO poisoning tactic to distribute malicious content. The document body, though heavily obfuscated, contains the target URL, reinforcing the lure of a 'cyber security procedures template'. No scripts were extracted, but the presence of a malicious redirector indicates a likely attempt to lead the user to a phishing or malware download site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=cyber+security+procedures+template
- https://cdn.shopify.com/s/files/1/0434/1451/9966/files/runikosojijo.pdf
- https://cdn.shopify.com/s/files/1/0428/1958/4166/files/50454966499.pdf
- https://cdn.shopify.com/s/files/1/0430/3264/1689/files/rulibudevudomuvove.pdf
- https://cdn.shopify.com/s/files/1/0430/7009/5521/files/71318766360.pdf
- https://cdn.shopify.com/s/files/1/0440/1430/5430/files/bawavifonujobogi.pdf
- https://cdn.shopify.com/s/files/1/0432/1483/1780/files/tuwomedagixarupevu.pdf
- https://cdn.shopify.com/s/files/1/0433/4557/6088/files/wotenotivoravik.pdf
- https://cdn.shopify.com/s/files/1/0433/5537/3720/files/77866207271.pdf
- https://cdn.shopify.com/s/files/1/0464/8042/5112/files/94316910385.pdf
- https://static.usrfiles.com/ugd/aff7ca_5433198f572d4230b0da05a0fa9e34a1.pdf
- https://static.usrfiles.com/ugd/3e9e83_624adc2760664920a77214d94aab3f2d.pdf
- https://static.usrfiles.com/ugd/0a0016_587b683a09dc428281e3c4e69c07e068.pdf
- https://static.usrfiles.com/ugd/162fe6_297b9312a5b84fe3a2c9f684815ef86a.pdf
- https://static.usrfiles.com/ugd/e5a943_f269d28c23454c89a2e746b9ac8e48f4.pdf
- https://static.usrfiles.com/ugd/73f3b0_e9a70d53dca94d19b4260a2070d1abe3.pdf
- https://static.usrfiles.com/ugd/dd4472_4256216c84d7444b9c6e31266daff25c.pdf
- https://static.usrfiles.com/ugd/affb4a_64b73ac20bf7474e90b4ec80a0a6cdc5.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007880.bin` `4dbd32e07c84842e9c02c964f06df29ecae52cce7f87bb6f587836807308d03b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7880	5364 bytes
`font_01_sfnt_off00008aa5.bin` `90edcbf8b1a9397c6e6237bda2165bbf5375c9006033c902dff44870215cdb48`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8AA5	10052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.