PDF malware analysis — malicious · 8906e0a8afc9bfbc

MALICIOUS

PDF

36.2 KB Created: 2020-08-30 16:52:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 85108db5af90cbedae129a0294668895 SHA-1: cad79f63718efeb56ded9ebee314d41df8828012 SHA-256: 8906e0a8afc9bfbc398bdece611777b0da7e002ff2bd70c93f8484ba8e77c516

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=stardew+valley+fishing+hack'. The document body also contains this URL and appears to be a lure related to 'stardew valley fishing hack'. The file also exhibits characteristics of a link farm, with numerous embedded URLs hosted on Shopify, suggesting an attempt to distribute content or traffic. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=stardew+valley+fishing+hack
- https://cdn.shopify.com/s/files/1/0431/2956/9434/files/ornamental_plants_catalogue.pdf
- https://cdn.shopify.com/s/files/1/0431/5817/5906/files/gugazameguwig.pdf
- https://cdn.shopify.com/s/files/1/0432/7276/5598/files/dupexalugusow.pdf
- https://cdn.shopify.com/s/files/1/0430/3552/5282/files/pcat_practice_questions.pdf
- https://cdn.shopify.com/s/files/1/0437/8496/2200/files/15378955352.pdf
- https://cdn.shopify.com/s/files/1/0451/4463/7605/files/catch_as_catch_can_wrestling.pdf
- https://cdn.shopify.com/s/files/1/0430/4722/3458/files/7941442248.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/9142282406.pdf
- https://cdn.shopify.com/s/files/1/0451/3293/9417/files/31923239441.pdf
- https://cdn.shopify.com/s/files/1/0431/6128/8868/files/bmw_320i_2006_performance.pdf
- https://cdn.shopify.com/s/files/1/0427/7764/1116/files/89410600779.pdf
- https://cdn.shopify.com/s/files/1/0434/8670/7876/files/12017605343.pdf
- https://cdn.shopify.com/s/files/1/0431/5555/4455/files/fokegifovivebogopaja.pdf
- https://static.usrfiles.com/ugd/271e65_861042668b2842809d19d9af0e8a6144.pdf
- https://static.usrfiles.com/ugd/b8c837_9a533beecad245c59d93b09b0b65424e.pdf
- https://static.usrfiles.com/ugd/e3834b_54800d67a5b2466c96b744372ed16d06.pdf
- https://static.usrfiles.com/ugd/286fb8_518cb243e83142de9311b69440f41505.pdf
- https://static.usrfiles.com/ugd/0c4177_d2b3ee73cec64f5e8a0372ba06f29940.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004e0e.bin` `9565a4e6980dd7f345066ad667f06e2920066e990ac2b9725b8083ef97db0750`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4E0E	5704 bytes
`font_01_sfnt_off00006188.bin` `1cc306018bf9d405e0bdab0e110c9f1eb12e96bb2ffcdd9a875366b09500c8c1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6188	9976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.