PDF malware analysis — malicious · a102fc948ad76350

MALICIOUS

PDF

48.0 KB Created: 2020-08-31 06:58:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1d7c94e52d503d3228d58f526e2871ab SHA-1: 9a3fd8968d4cfb21bee0095fe1075d380adb8d12 SHA-256: a102fc948ad76350df843b65daef9c80199db2f199387082221c1dae81a30af2

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1200 Hardware Add-in T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links hosted on Shopify domains, though most appear benign. The presence of a visual download button lure further supports a malicious intent. The primary attack vector appears to be directing users to the malicious 'ttraff.ru' URL, likely as part of a phishing or malware distribution scheme.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=words+to+danny+boy
- https://cdn.shopify.com/s/files/1/0429/9577/7699/files/35065675342.pdf
- https://cdn.shopify.com/s/files/1/0434/3716/2646/files/after_20_years_story_in_english.pdf
- https://cdn.shopify.com/s/files/1/0431/4021/9041/files/jurnal_tentang_organel_sel.pdf
- https://cdn.shopify.com/s/files/1/0428/1358/7623/files/15474455180.pdf
- https://cdn.shopify.com/s/files/1/0436/2688/9374/files/69219437333.pdf
- https://cdn.shopify.com/s/files/1/0438/8877/1227/files/godox_tt600_manual_espaol.pdf
- https://cdn.shopify.com/s/files/1/0434/3899/7669/files/dr_isaac_goiz_duran_libros.pdf
- https://cdn.shopify.com/s/files/1/0435/2291/6520/files/50464976620.pdf
- https://cdn.shopify.com/s/files/1/0430/2897/1681/files/xameviriwofegibibadasimi.pdf
- https://cdn.shopify.com/s/files/1/0438/0291/9069/files/elk_guided_hunts_montana.pdf
- https://cdn.shopify.com/s/files/1/0434/3290/2806/files/elder_abuse_report_mass._gov.pdf
- https://cdn.shopify.com/s/files/1/0439/8972/9438/files/menagubusiniwiwa.pdf
- https://static.usrfiles.com/ugd/b8c837_f1c45884a71143b18055d956689e6f83.pdf
- https://static.usrfiles.com/ugd/3e87bf_c9cf895ee8bd400daf6733260da3a6fe.pdf
- https://static.usrfiles.com/ugd/c3f88d_83f329941b2648ba944394d3f2529148.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007e80.bin` `18e66de712c6c9a80dd3fc724079e7d804fe37311f5bf840991cd5c69f04de98`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7E80	5044 bytes
`font_01_sfnt_off00008fc8.bin` `8119a71e91ffda81b31a372269073e45731793bd46e9f6542ec616a792ea70f8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8FC8	10452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.