PDF malware analysis — malicious · a263a946f96ce3ea

MALICIOUS

PDF

42.6 KB Created: 2020-08-13 21:59:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 713b8bc411ff501055b8c4b217f2ad8b SHA-1: 6d0bfcf5513a2d304adf0ed3d590bc78c70ebe5f SHA-256: a263a946f96ce3eaf976352b91b6556287b425f42f9a71deb19c5bcca9733c58

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body and extracted URLs suggest a lure related to 'Google docs spreadsheet excel compatibility' to drive traffic to the malicious ttraff.ru domain. The presence of multiple Shopify URLs, while marked as benign, are likely part of a link farm to improve SEO for the malicious redirector. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=google+docs+spreadsheet+excel+compatibility
- http://zaziruzas.kdrecording.com/uploads/1/3/1/6/131607600/xiluze.pdf
- http://ripode.stevenstradley.com/uploads/1/3/0/7/130739173/figozolaboxo-venefe-vusukij-lekijiwekisiv.pdf
- http://files.allprorepairnc.com/uploads/1/3/1/1/131164260/d7a3d7408d.pdf
- http://zusofaj.mailfromacat.com/uploads/1/3/1/4/131407668/jijexaxe.pdf
- http://files.english.dollessence.com/uploads/1/3/0/9/130968926/vejatux_mokuxokefuv_tinegaxis.pdf
- https://cdn.shopify.com/s/files/1/0432/8800/2710/files/80794932179.pdf
- https://cdn.shopify.com/s/files/1/0448/7266/3202/files/estrategia_y_negocios.pdf
- https://cdn.shopify.com/s/files/1/0433/5622/5686/files/ketejob.pdf
- https://cdn.shopify.com/s/files/1/0428/6719/6063/files/90243196846.pdf
- https://cdn.shopify.com/s/files/1/0431/8894/5064/files/dnd_5e_wild_magic_table.pdf
- https://cdn.shopify.com/s/files/1/0432/1830/5179/files/lonely_planet_russia.pdf
- https://cdn.shopify.com/s/files/1/0433/4272/5275/files/pokemon_diamond_online.pdf
- https://cdn.shopify.com/s/files/1/0434/4204/5090/files/a_an_the_kullanm.pdf
- https://cdn.shopify.com/s/files/1/0427/3248/6823/files/dusuxezuragiw.pdf
- https://cdn.shopify.com/s/files/1/0433/6871/0300/files/56709095229.pdf
- https://cdn.shopify.com/s/files/1/0427/5663/6828/files/7768195592.pdf
- https://cdn.shopify.com/s/files/1/0431/3061/8011/files/kusawapaxenekatumavegimi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006471.bin` `5af137a2bbc2c8e7c9367fc7b4bae80723ac38059f9e9b6c4d34384fba7a2bad`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6471	5828 bytes
`font_01_sfnt_off00007831.bin` `ad817df845c491cd3d64c090ede64c780c8b284ff7499a8cd53244496c25e22e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7831	11172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.