PDF malware analysis — malicious · a4181329e0ddaa9d

MALICIOUS

PDF

43.6 KB Created: 2020-08-07 00:58:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 08edb388ad17b8b368032e507e89c8f2 SHA-1: 66d3001310ba1f92a2845f1aa89103bbc08ef06d SHA-256: a4181329e0ddaa9d5b789a2c2a9d8014949b5bcf102acb1aa4023f45899febb5

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains a link farm and a specific malicious redirector URL, disguised as a free download for AutoCAD software. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates that the link at https://ttraff.ru/pify?keyword=introduction+to+autocad+plant+3d+2020+pdf+free+download leads to known malicious infrastructure. The PDF_SEO_LINK_FARM heuristic indicates the document is designed to host numerous external links, likely for SEO manipulation or to distribute further malicious content. No scripts were extracted, but the presence of a malicious redirector and a link farm strongly suggests a phishing or malware distribution attempt.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=introduction+to+autocad+plant+3d+2020+pdf+free+download
- http://files.marysalter.com/uploads/1/3/1/0/131070786/6165990.pdf
- http://bolekagi.visitdvcc.org/uploads/1/3/1/0/131069934/golijowowade.pdf
- http://files.dreadfullocksct.com/uploads/1/3/2/8/132816195/fa0cf5aa625.pdf
- https://cdn.shopify.com/s/files/1/0441/3744/7576/files/xujizubazo.pdf
- https://cdn.shopify.com/s/files/1/0431/5525/9546/files/76273905625.pdf
- https://cdn.shopify.com/s/files/1/0430/3316/5986/files/jemimajonupunotaw.pdf
- https://cdn.shopify.com/s/files/1/0433/0664/7717/files/93037608331.pdf
- https://cdn.shopify.com/s/files/1/0431/2635/8173/files/jutobujojesosumaziwo.pdf
- https://cdn.shopify.com/s/files/1/0440/1987/5998/files/kudifuforunuv.pdf
- https://cdn.shopify.com/s/files/1/0433/7162/6659/files/38428483387.pdf
- https://cdn.shopify.com/s/files/1/0436/9701/2890/files/93425572079.pdf
- https://cdn.shopify.com/s/files/1/0434/7461/6472/files/24795796660.pdf
- https://cdn.shopify.com/s/files/1/0431/6607/2994/files/82098873740.pdf
- https://cdn.shopify.com/s/files/1/0433/8476/6620/files/74325153164.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ac0.bin` `830bcc042ad55e2512074e563fb6e3ed533d7e7be300ccb202295e1cdcec4789`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6AC0	5436 bytes
`font_01_sfnt_off00007d62.bin` `519539d67d37d2bcade603aec0f95483c8740a972433fac513a4a3593848f61d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D62	10768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.