PDF malware analysis — malicious · 921ae3075167b6b3

MALICIOUS

PDF

42.7 KB Created: 2020-08-15 05:07:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 86002ca52f477ea0e33c7319ae229f74 SHA-1: 4403b47095c0d1876203c3a36dac9bd28f8fa20c SHA-256: 921ae3075167b6b385f7741ac9eb2fe611ffba02a3f7ac4cb60a8d1f519c707e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to `https://ttraff.ru/pify?keyword=black+heart+hd+wallpapers+for+android`. This indicates the document's primary purpose is to redirect the user to malicious infrastructure, likely for further exploitation or phishing. The document also contains a large number of embedded links, many pointing to Shopify, which is characteristic of SEO link farm abuse to improve search engine ranking for malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=black+heart+hd+wallpapers+for+android
- http://vesani.utahversatility.com/uploads/1/3/1/8/131856158/gizuzom-dokogonibavig-pamipo.pdf
- http://files.scarlett17knits.com/uploads/1/3/1/3/131384583/pejixopora.pdf
- https://cdn.shopify.com/s/files/1/0434/4043/9446/files/12435042908.pdf
- https://cdn.shopify.com/s/files/1/0454/8486/7736/files/excel_free_timeline_template.pdf
- https://cdn.shopify.com/s/files/1/0445/7195/1268/files/genki_answer_key.pdf
- https://cdn.shopify.com/s/files/1/0438/4522/2550/files/descargar_caballo_de_troya_5.pdf
- https://cdn.shopify.com/s/files/1/0431/7007/0690/files/cambridge_academic_english_advanced_download.pdf
- https://cdn.shopify.com/s/files/1/0433/3440/2216/files/web_development_tutorial.pdf
- https://cdn.shopify.com/s/files/1/0431/0820/4704/files/vibofoxuzefifo.pdf
- https://cdn.shopify.com/s/files/1/0428/0942/6079/files/97208353136.pdf
- https://cdn.shopify.com/s/files/1/0435/6843/1265/files/92372517258.pdf
- https://cdn.shopify.com/s/files/1/0429/1425/0905/files/8888873201.pdf
- https://cdn.shopify.com/s/files/1/0432/2508/8168/files/pixikewen.pdf
- https://cdn.shopify.com/s/files/1/0433/3672/8726/files/pajilular.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005c1c.bin` `57b752963821b0ecc92beb2ffe6eb2a1a6689a744950f9b0468a74c95d1d1841`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5C1C	5236 bytes
`font_01_sfnt_off00006dec.bin` `d2c97a49a7c0864ae0ba85ffbde276f9000900832420df7e7d013ca47b7061a8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DEC	9924 bytes
`font_02_sfnt_off00008fe2.bin` `a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8FE2	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.