PDF malware analysis — malicious · a81bd3b648ee7cf4

MALICIOUS

PDF

43.0 KB Created: 2020-08-12 15:01:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 67c3a7e1f73bb06332df9c60b3a270fb SHA-1: c4fef9d4bb2ec6c6494cf77cc0991d6f55c8e146 SHA-256: a81bd3b648ee7cf40964af323249536a477452d117262beaf117e151307a8c0e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary malicious URL identified is https://ttraff.ru/wb?keyword=asp.net%20c#%20tutorial%20for%20beginners%20with%20examples%20pdf, which is flagged as a malicious redirector. This indicates a likely attempt to direct users to malicious content or phishing pages under the guise of providing links to PDF documents.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wb?keyword=asp.net%20c#%20tutorial%20for%20beginners%20with%20examples%20pdf
- http://files.labyrinthcreations.com/uploads/1/3/0/8/130874642/8121399.pdf
- http://files.ergoproperties.com/uploads/1/3/2/7/132712185/2b2e7361c80.pdf
- http://files.amproed.com/uploads/1/3/0/8/130813827/lovebaxuwejeg.pdf
- http://files.designsbycaralouise.com/uploads/1/3/0/7/130739891/468aa5.pdf
- https://cdn.shopify.com/s/files/1/0438/8493/7384/files/purpose_driven_life_day_8.pdf
- https://cdn.shopify.com/s/files/1/0429/9977/5381/files/9178160975.pdf
- https://cdn.shopify.com/s/files/1/0428/0510/0711/files/ultimate_gd_t_pocket_guide.pdf
- https://cdn.shopify.com/s/files/1/0434/1415/9521/files/36674046413.pdf
- https://cdn.shopify.com/s/files/1/0432/6742/4409/files/62414661335.pdf
- https://cdn.shopify.com/s/files/1/0447/9755/8941/files/donunawitipagubabugibi.pdf
- https://cdn.shopify.com/s/files/1/0434/1478/2104/files/gefil.pdf
- https://cdn.shopify.com/s/files/1/0437/1962/2808/files/90462019166.pdf
- https://cdn.shopify.com/s/files/1/0429/4085/8527/files/nawiginasixo.pdf
- https://cdn.shopify.com/s/files/1/0435/2560/3488/files/rerirumigagajizo.pdf
- https://cdn.shopify.com/s/files/1/0432/5143/3627/files/nalisizedokepebutepe.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/46506788711.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005f59.bin` `4b3755e223789f1c9932f1d83c578d3a6124d517d6e0173baa74af393e062087`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F59	4240 bytes
`font_01_sfnt_off00006dc5.bin` `c92d29145934a5e99383a09730a03c2f0fcf89fdb75a29dd8a085b07b4eab948`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DC5	10408 bytes
`font_02_sfnt_off0000915c.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x915C	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.