PDF malware analysis — malicious · 9b5e9ce73c03c316

MALICIOUS

PDF

47.6 KB Created: 2020-08-31 18:26:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 707692e7ed1da4d96ee340006844aedb SHA-1: c246a1d12c5fb35d15240e80b6da75b711d2a2ad SHA-256: 9b5e9ce73c03c31693ae91f616edccb59748752caf8c3c4b7f06329136e84c35

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one heuristic specifically identifying it as a 'PDF_SEO_LINK_FARM'. The primary malicious URL, 'https://ttraff.ru/pify?keyword=woodchuck+could+chuck+wood+answer', is flagged as a malicious redirector. The document body appears to be heavily obfuscated or corrupted, but the presence of these links strongly suggests a malicious intent, likely related to SEO manipulation or redirecting users to harmful content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=woodchuck+could+chuck+wood+answer
- https://cdn.shopify.com/s/files/1/0431/1112/1063/files/fevazogumami.pdf
- https://cdn.shopify.com/s/files/1/0437/8502/7745/files/article_285_labor_code.pdf
- https://cdn.shopify.com/s/files/1/0433/5294/8901/files/7186804027.pdf
- https://cdn.shopify.com/s/files/1/0433/7722/9982/files/aquifer_test_report.pdf
- https://cdn.shopify.com/s/files/1/0432/8567/6188/files/biugo_app_mod_apk.pdf
- https://cdn.shopify.com/s/files/1/0433/9708/7390/files/11313510949.pdf
- https://cdn.shopify.com/s/files/1/0437/0182/9797/files/vomoxitokuxovunenunogix.pdf
- https://static.usrfiles.com/ugd/7dd30d_ba5bd38b208148e5b2421fe566c66a50.pdf
- https://static.usrfiles.com/ugd/2f8cea_f5246cd3486b41fc8054dcf4fd9b681d.pdf
- https://static.usrfiles.com/ugd/a382ee_3f3416a420f54d1885769e9f0e55a9d9.pdf
- https://static.usrfiles.com/ugd/1b8612_e3c65ccece2e4a578a4909eafc5ae83e.pdf
- https://static.usrfiles.com/ugd/b8c837_49215ce896c84ea9bc3c71259407e086.pdf
- https://static.usrfiles.com/ugd/b8c837_0ed2ea15a0cd4167ab7d6c4bb16740d8.pdf
- https://static.usrfiles.com/ugd/cac9e4_e70a8d0348d349008f6d5e43b48689e3.pdf
- https://static.usrfiles.com/ugd/b58d21_bb94f464b7c14ed0ad551c78e7e80882.pdf
- https://static.usrfiles.com/ugd/b8c837_c1266376baf84cf9b588fbbaa136fb84.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000728e.bin` `4c765d52319a894d1da308ac75c07bfe389e4ff36c9052f23241309b4f852bed`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x728E	5196 bytes
`font_01_sfnt_off00008441.bin` `51ebeec29509b87aa858d500e37ac8853184703d07d1f913ce36d8e1dc7764c0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8441	1800 bytes
`font_02_sfnt_off00008ccf.bin` `23dc2db515068d83b3b7c17274c55890e4a8e9719c01afa5ab0f175f8ce243a1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8CCF	10548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.