PDF malware analysis — malicious · a0b9088384b35ef8

MALICIOUS

PDF

48.0 KB Created: 2020-08-23 04:54:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 2144db7a33e7fe4418c83730f5ad7ae7 SHA-1: 6d38c61ccf98598023f35cee31b9db1a31c8fac5 SHA-256: a0b9088384b35ef8530fe3321da24822015708e6a3b1d8c4c86fc35f9a1fd16e

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm or SEO poisoning attempt. One critical heuristic identified a direct link to known malicious redirector infrastructure at 'https://ttraff.ru/pify?keyword=schindler%2527+s+list+movie+free'. This URL is presented as a lure for a movie download, indicating a social engineering tactic to redirect users to malicious content. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=schindler%2527+s+list+movie+free
- http://rifuzug.alinacruzfengshui.com/uploads/1/3/1/3/131383309/7371171.pdf
- https://cdn.shopify.com/s/files/1/0435/3766/2103/files/plural_nouns_rules_exercises.pdf
- https://cdn.shopify.com/s/files/1/0433/9538/3446/files/tagujikedevokibom.pdf
- https://cdn.shopify.com/s/files/1/0433/4557/6088/files/74282448378.pdf
- https://cdn.shopify.com/s/files/1/0447/3038/4537/files/bet_cypher_eminem_mp3_download.pdf
- https://cdn.shopify.com/s/files/1/0435/9369/5391/files/the_power_of_autosuggestion.pdf
- https://cdn.shopify.com/s/files/1/0432/2259/7796/files/27444748830.pdf
- https://cdn.shopify.com/s/files/1/0437/5930/4865/files/lolomoxezonituroji.pdf
- https://cdn.shopify.com/s/files/1/0429/9302/5183/files/73906003052.pdf
- https://cdn.shopify.com/s/files/1/0434/3532/7653/files/64098815135.pdf
- https://cdn.shopify.com/s/files/1/0431/0230/6468/files/miratiguke.pdf
- https://cdn.shopify.com/s/files/1/0428/7679/7081/files/kamow.pdf
- https://cdn.shopify.com/s/files/1/0435/3274/6906/files/sexilu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006f28.bin` `34e2a346c4aa0edf19da69c44f5dc64ba028c080bbd8ab0d90900b5f208d5283`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6F28	5036 bytes
`font_01_sfnt_off00008014.bin` `8009313600ea97e77f07c41f5130b79ee87d89d7e56d77f49b1d140c5ec32ba2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8014	10332 bytes
`font_02_sfnt_off0000a379.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA379	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.