PDF malware analysis — malicious · 908a6435098ea15b

MALICIOUS

PDF

45.5 KB Created: 2020-08-13 00:50:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 48a23768d61fe5ec4f930dda665f6932 SHA-1: 75c5cc695f4a816b43bf589542fd8e73df4eab0d SHA-256: 908a6435098ea15be4f72772babd487ea957e2926c9317d784bd84c1d702c4bc

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a large number of embedded links, a technique often used to create link farms for SEO manipulation or to redirect users to malicious sites. One critical heuristic identified a link to a known malicious redirector at https://ttraff.ru/wb?keyword=polarized%20light%20microscope%20pdf. The document body is heavily obfuscated but contains references to the same URLs, reinforcing the link farm attack pattern. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wb?keyword=polarized%20light%20microscope%20pdf
- http://files.summamomma.com/uploads/1/3/1/3/131397971/508713.pdf
- http://sajodo.marissabellino.com/uploads/1/3/1/4/131452883/ec10a0.pdf
- http://files.7thbattalion13thartillery.com/uploads/1/3/1/4/131483154/7849950.pdf
- http://files.kylacorbett.com/uploads/1/3/0/7/130738825/447597.pdf
- https://cdn.shopify.com/s/files/1/0435/1921/3727/files/sexexupo.pdf
- https://cdn.shopify.com/s/files/1/0428/4376/6950/files/wezarugi.pdf
- https://cdn.shopify.com/s/files/1/0434/7602/5497/files/43160733049.pdf
- https://cdn.shopify.com/s/files/1/0427/4031/8375/files/85476567169.pdf
- https://cdn.shopify.com/s/files/1/0434/4024/2840/files/mipevusemonivafubi.pdf
- https://cdn.shopify.com/s/files/1/0435/8373/3915/files/fisopanofugufigo.pdf
- https://cdn.shopify.com/s/files/1/0429/2925/8649/files/diddy_kong_racing_cheats.pdf
- https://cdn.shopify.com/s/files/1/0432/8023/6702/files/dod_form_2861.pdf
- https://cdn.shopify.com/s/files/1/0428/8099/1388/files/kb_to_bytes.pdf
- https://cdn.shopify.com/s/files/1/0431/1416/8480/files/goboxitosudowabeguzixiwor.pdf
- https://cdn.shopify.com/s/files/1/0438/6439/1845/files/nadubuxinuwima.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/golalebilafofuzugetuvi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000066b2.bin` `110d81911fd8f5b53d5331c2d450fcc8cacc06dbdf85e8a928e240092a83f79f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x66B2	5300 bytes
`font_01_sfnt_off000078c5.bin` `01be537d06c27fe3f4dc18244d69dde6bf2c56c5b03024523c0014a3cb0dd52f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78C5	9948 bytes
`font_02_sfnt_off00009ae0.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9AE0	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.