PDF malware analysis — malicious · 8ad41f0faca3089c

MALICIOUS

PDF

46.7 KB Created: 2020-08-03 07:22:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 747a02d68a1da11ae3ad29fd690b1ac1 SHA-1: ce6600c3c555e5ec5ae11644287826ca7297d4ac SHA-256: 8ad41f0faca3089cea349ce5c08dcccd65972955b631c04f666167c8f4f4bfdb

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=blackjack+in+java'. This indicates an attempt to direct users to a potentially harmful website. The document body, though heavily obfuscated, contains the same URL, reinforcing the lure. The presence of numerous other PDF links also suggests a link farm or redirection strategy.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=blackjack+in+java
- http://tibag.affordable-inspection.com/uploads/1/3/0/8/130814168/2331511.pdf
- http://files.tinopaitours.com/uploads/1/3/1/3/131398605/suburanatijod-pujawipu.pdf
- http://files.batrssocal.com/uploads/1/3/1/3/131384789/vipibifoxoteroxu.pdf
- http://files.jcrvtx.com/uploads/1/3/1/4/131408100/1113727.pdf
- https://cdn.shopify.com/s/files/1/0440/0916/0862/files/85990678020.pdf
- https://cdn.shopify.com/s/files/1/0434/4204/5090/files/64616943158.pdf
- https://cdn.shopify.com/s/files/1/0434/2936/3878/files/fikor.pdf
- https://cdn.shopify.com/s/files/1/0434/1468/3813/files/veseleketim.pdf
- https://cdn.shopify.com/s/files/1/0434/6671/9385/files/1099648752.pdf
- https://cdn.shopify.com/s/files/1/0432/7027/5237/files/41076521502.pdf
- https://cdn.shopify.com/s/files/1/0432/2869/2643/files/92529590306.pdf
- https://cdn.shopify.com/s/files/1/0431/3209/2573/files/lakafexigemoxejo.pdf
- https://cdn.shopify.com/s/files/1/0435/7718/0319/files/cr_6_monsters_5e.pdf
- https://cdn.shopify.com/s/files/1/0432/9367/1590/files/27438219399.pdf
- https://cdn.shopify.com/s/files/1/0435/8874/7423/files/43484023895.pdf
- https://cdn.shopify.com/s/files/1/0431/4651/0504/files/sonetobapafileniponedan.pdf
- https://cdn.shopify.com/s/files/1/0435/6354/8833/files/99227496367.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/f

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006da4.bin` `f50ec9ac6c078db72e0bb0e01fa6325fab36f756d56c0ebd5eec87f531f0b1f8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DA4	4248 bytes
`font_01_sfnt_off00007c0c.bin` `65577c9c03be9268d3a7b393948de8ab111749289e25af048b0dd56e2753f166`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C0C	10372 bytes
`font_02_sfnt_off00009f80.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9F80	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.