PDF malware analysis — malicious · 8b57497a0bc7ce27

MALICIOUS

PDF

49.6 KB Created: 2020-09-01 02:40:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 598db5411bd9632b10a6b922a1adb06d SHA-1: ff28e7530cc03c8c97408f6d045ef647ca8514fe SHA-256: 8b57497a0bc7ce27b98b800318aee3787682931dd24194456959b7cca389a44d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=actos+de+comercio+derecho+mercantil+pdf'. This indicates an attempt to redirect the user to a malicious site, likely for phishing or malware distribution. The document body, though heavily obfuscated, contains references to the redirector URL and other benign-looking PDF links, suggesting a link farm or redirection tactic. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=actos+de+comercio+derecho+mercantil+pdf
- https://cdn.shopify.com/s/files/1/0436/9544/0040/files/9766988114.pdf
- https://cdn.shopify.com/s/files/1/0447/3644/6613/files/p55nf06_mosfet_datasheet.pdf
- https://cdn.shopify.com/s/files/1/0428/0372/4455/files/70215463574.pdf
- https://cdn.shopify.com/s/files/1/0430/8926/4794/files/83486142664.pdf
- https://cdn.shopify.com/s/files/1/0440/0542/5310/files/86733664432.pdf
- https://static.usrfiles.com/ugd/fa32a6_80a4ef25b2804c06b50fff33d1fe8cc5.pdf
- https://static.usrfiles.com/ugd/a44510_8f74a65170d94f98a5b4b3ea34fe3a0c.pdf
- https://static.usrfiles.com/ugd/e3834b_bde54e325812431fbd8fe9693019adaa.pdf
- https://static.usrfiles.com/ugd/51c472_090d9de225bf4f0f922286a4653bb536.pdf
- https://static.usrfiles.com/ugd/b8c837_f38d507272ba4bb5ac3f24534b1883b7.pdf
- https://static.usrfiles.com/ugd/b7ed05_0bcf20a1c40947cf8e5fcaad20759b98.pdf
- https://static.usrfiles.com/ugd/b8c837_0430c70f4fc94b58b4a252bb469f3863.pdf
- https://static.usrfiles.com/ugd/ce0e6d_8ab152fee0674520ae08c5d2d4ea722f.pdf
- https://cdn.shopify.com/s/files/1/0429/8568/5153/files/xufumufowalenef.pdf
- https://cdn.shopify.com/s/files/1/0446/0537/4628/files/pepilob.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000075ca.bin` `170e255aeaedf84c0fc82f47edfceaa021b2d7a54e10624bab868ac7bb8eb3b9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75CA	1964 bytes
`font_01_sfnt_off00007efe.bin` `afc2e877920fbf0722c7cd53acae965ed5488285265f91073c1454be51c22c5b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7EFE	5384 bytes
`font_02_sfnt_off00009122.bin` `22d4cb630f33e7e1b70f739079cbe42e590b88638315356e22546a7b584507f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9122	11816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.