PDF malware analysis — malicious · ae1a58a3cd04fbb6

MALICIOUS

PDF

45.4 KB Created: 2020-08-02 16:31:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7e2e21484f89dfaecf5d1efeb79b02cc SHA-1: c48106b70fbb6aa7d05af6e2308e068eed1f82a4 SHA-256: ae1a58a3cd04fbb69893241b3d8f5c53198fdb2cc32885dc22267e1668ea8a77

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on various domains. One of the primary links redirects to a known malicious URL, ttraff.ru, which is likely used for further malicious redirection or phishing. The document body contains garbled text along with the primary malicious URL and several benign-looking Shopify URLs, suggesting an attempt to obscure the malicious intent. The presence of a link farm and a malicious redirector indicates a social engineering attack aimed at luring users to malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=igo+primo+usa
- http://files.theimaginariumnh.com/uploads/1/3/1/3/131384173/82b7f9755762e93.pdf
- http://files.randymcmusic.com/uploads/1/3/0/7/130775446/1922930.pdf
- http://files.babylonreader.com/uploads/1/3/1/4/131437753/4537905.pdf
- http://files.fortis-fp.com/uploads/1/3/0/8/130874627/ximafujera-gutiwido-toritekom.pdf
- https://cdn.shopify.com/s/files/1/0429/1022/0447/files/92106353051.pdf
- https://cdn.shopify.com/s/files/1/0428/3308/4575/files/vesexezonugaritutunedo.pdf
- https://cdn.shopify.com/s/files/1/0430/4856/6933/files/20079144664.pdf
- https://cdn.shopify.com/s/files/1/0439/7917/8142/files/superman_returns_video_game.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mijafovaginidobu.pdf
- https://cdn.shopify.com/s/files/1/0428/3174/1095/files/54538411627.pdf
- https://cdn.shopify.com/s/files/1/0434/6278/7237/files/jezozavogisinepigesidap.pdf
- https://cdn.shopify.com/s/files/1/0430/6288/6554/files/23238037294.pdf
- https://cdn.shopify.com/s/files/1/0437/7211/7141/files/wadokezexurubutubimo.pdf
- https://cdn.shopify.com/s/files/1/0431/5293/3024/files/sosetozabaki.pdf
- https://cdn.shopify.com/s/files/1/0432/8521/7436/files/mufuraxoxe.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005e77.bin` `3da8cf6181cc49be09b2de3ddcc131304744b0ff635fbd370272841121c36293`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5E77	5044 bytes
`font_01_sfnt_off00006f8f.bin` `1e7141a3fa137fa3565f394821beba5efb810596ae9922ba1f777913569c99d8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6F8F	10252 bytes
`font_02_sfnt_off00009295.bin` `1b44218257806f750c7fedc2cca84b6b30ff477c2da870f9e14c0541087d9c9f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9295	16544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.