PDF malware analysis — malicious · 9620fe7ebc31c686

MALICIOUS

PDF

45.5 KB Created: 2020-08-03 19:52:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6840b0ebfbf8e6248789e1d0847b5478 SHA-1: 07e78d32ab77cbabf85326b5b3f0b612e900e3e0 SHA-256: 9620fe7ebc31c6861db9cbf26d1d53407272839ac282bb2747e0792c65f7b94c

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One critical heuristic firing indicates that the PDF links to known malicious redirector infrastructure via the URL https://ttraff.ru/pify?keyword=articles+of+association+format+pdf. This suggests the document is designed to redirect users to malicious sites, likely for phishing or malware distribution.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=articles+of+association+format+pdf
- http://files.manchesterartistsbookfair.com/uploads/1/3/1/4/131483009/6595966.pdf
- http://files.just-verandas.com/uploads/1/3/1/3/131379045/xobuxisedujus_wekabod.pdf
- http://files.victorheritagesociety.com/uploads/1/3/0/8/130813782/zufef-lakojafifiw-rutejezo-bosexetigomezeb.pdf
- http://files.montanaherbalist.com/uploads/1/3/0/7/130776110/ba1d6de3493.pdf
- https://cdn.shopify.com/s/files/1/0431/1236/6229/files/benijobelinetixunebibasa.pdf
- https://cdn.shopify.com/s/files/1/0436/9137/6794/files/66484362083.pdf
- https://cdn.shopify.com/s/files/1/0432/5385/8472/files/lidazalimevikeluse.pdf
- https://cdn.shopify.com/s/files/1/0431/3609/0267/files/92876011694.pdf
- https://cdn.shopify.com/s/files/1/0433/5131/0488/files/raderugimoxerakawax.pdf
- https://cdn.shopify.com/s/files/1/0434/0757/3157/files/pijolipa.pdf
- https://cdn.shopify.com/s/files/1/0434/2346/5628/files/58228463860.pdf
- https://cdn.shopify.com/s/files/1/0428/6450/9094/files/mufedafutesusekinebup.pdf
- https://cdn.shopify.com/s/files/1/0431/7406/8390/files/4155714301.pdf
- https://cdn.shopify.com/s/files/1/0431/4251/2797/files/mod_rejections_pixelmon.pdf
- https://cdn.shopify.com/s/files/1/0429/8244/1113/files/34469982943.pdf
- https://cdn.shopify.com/s/files/1/0436/9947/0486/files/troy_bilt_bronco_tiller_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/0204/4316/files/zokulatidapad.pdf
- https://cdn.shopify.com/s/files/1/0430/1481/5901/files/2160652391.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007400.bin` `0102216fff718e9510573e263228d5fef84c36ed52b8e2b5e98bbb28655a1637`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7400	5288 bytes
`font_01_sfnt_off000085e7.bin` `921e5f475404c235f54073b174f730259e1039cf8b754f83490cf394e5f4c426`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x85E7	10140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.