PDF malware analysis — malicious · 9fed71cd3125d23f

MALICIOUS

PDF

54.5 KB Created: 2020-08-06 20:55:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4342a565035f6ed3acc13de78b83d825 SHA-1: d92a14eae557b9b2634a07053a9dcead06ab4c0c SHA-256: 9fed71cd3125d23f3c9b4364269325786608f06fe2bc22cf82de528105807b73

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to external resources, including a known malicious redirector. The primary malicious URL identified is https://ttraff.ru/pify?keyword=rig+veda+in+odia+pdf+download, which is flagged as a malicious redirector. The document body, though partially corrupted, contains references to PDF downloads and appears to be a lure to disguise the malicious intent. The presence of numerous Shopify links suggests an attempt to blend malicious links with seemingly legitimate ones.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=rig+veda+in+odia+pdf+download
- http://files.josephbukartek.com/uploads/1/3/2/8/132814342/17406812ac568f.pdf
- http://files.theesabrinalopez.com/uploads/1/3/1/3/131383467/degifav.pdf
- http://files.pendleventures.com/uploads/1/3/0/7/130775598/8228145.pdf
- http://files.fieldtripfever.com/uploads/1/3/1/1/131164231/pojuxov-firazimumetobod-tujeb-rusos.pdf
- https://cdn.shopify.com/s/files/1/0440/8714/8694/files/important_full_forms_for_quiz.pdf
- https://cdn.shopify.com/s/files/1/0438/2621/7120/files/savage_arms_owners_manual.pdf
- https://cdn.shopify.com/s/files/1/0430/1111/3123/files/how_to_crack_a_software.pdf
- https://cdn.shopify.com/s/files/1/0433/7047/9768/files/download_cinderella_secret.pdf
- https://cdn.shopify.com/s/files/1/0432/8049/8841/files/95701468973.pdf
- https://cdn.shopify.com/s/files/1/0429/5573/5199/files/cant_stop_tab.pdf
- https://cdn.shopify.com/s/files/1/0433/5340/7646/files/75561093495.pdf
- https://cdn.shopify.com/s/files/1/0430/9021/5073/files/66044353887.pdf
- https://cdn.shopify.com/s/files/1/0432/1335/7214/files/22042601543.pdf
- https://cdn.shopify.com/s/files/1/0428/0041/4883/files/65666138014.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006915.bin` `08815a843297e8d992a24027f8c189abea18fe7fa2e9ce9e2242784a8a5c7221`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6915	5096 bytes
`font_01_sfnt_off00007aa5.bin` `a9a835d09b22301a9c85db093604b097eee287aae645b0073634efd431dd85ae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7AA5	14912 bytes
`font_02_sfnt_off0000a910.bin` `014c12a48a9e7789c1f20780c9b9b4b693feead1a048795e491205f3eb786004`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA910	11548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.