PDF malware analysis — malicious · 8b01968197605c9a

MALICIOUS

PDF

44.5 KB Created: 2020-08-20 18:58:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 69948e17194503e4a0edd162ab72044e SHA-1: 90c76f803070f0863fc04b87a1ae57cd79f082d0 SHA-256: 8b01968197605c9a776936774703e14c64aaf4d6d98508e41d9e44ed12ed0000

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a high number of embedded links, many pointing to domains associated with link farms and redirectors, indicating a malicious intent to distribute further malicious content or phishing pages. The primary malicious URL identified is https://ttraff.ru/pify?keyword=sound+booster+mac, which is flagged as a known malicious redirector. The document body, though heavily obfuscated, contains references to 'sound booster mac' and the URLs suggest a lure to download or access a resource, likely a scam. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=sound+booster+mac
- http://files.buffalocommonspress.com/uploads/1/3/1/4/131407214/9728085.pdf
- http://files.takemetomydoctor.com/uploads/1/3/2/6/132683017/3e1fcdec7.pdf
- http://files.dustyhikes.com/uploads/1/3/0/8/130874101/78747c273.pdf
- http://files.benlaughtonsmith.com/uploads/1/3/0/8/130813526/8b116f.pdf
- https://cdn.shopify.com/s/files/1/0437/6900/4190/files/ivern_guide_lol.pdf
- https://cdn.shopify.com/s/files/1/0437/6104/1559/files/bpsc_nursing_result_2020_download.pdf
- https://cdn.shopify.com/s/files/1/0434/5135/1200/files/proses_pembentukan_batuan_sedimen.pdf
- https://cdn.shopify.com/s/files/1/0435/2009/8472/files/pumuloxoxiwoj.pdf
- https://cdn.shopify.com/s/files/1/0437/0923/5353/files/conversion_word_zamzar.pdf
- https://cdn.shopify.com/s/files/1/0431/3815/4658/files/vunopumobobifex.pdf
- https://cdn.shopify.com/s/files/1/0432/7368/3112/files/guvinebosifad.pdf
- https://cdn.shopify.com/s/files/1/0439/1161/0520/files/bukoditaparimamuxifi.pdf
- https://cdn.shopify.com/s/files/1/0431/3818/7413/files/baby_cloth_pattern.pdf
- https://cdn.shopify.com/s/files/1/0433/5996/1237/files/kogotuwanemasekuw.pdf
- https://cdn.shopify.com/s/files/1/0429/0415/8375/files/21566487890.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006485.bin` `d8909975e9f6bc87b9737ed6f21e6fdb764eff0d5558bdb4dd85c2df22336ac7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6485	5128 bytes
`font_01_sfnt_off000075c2.bin` `d809dba6eb47f3d455c667a1ade77bc3366a36c0e0931a35da5c52991a6bad67`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75C2	9848 bytes
`font_02_sfnt_off0000974b.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x974B	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.