PDF malware analysis — malicious · aec6012f1fc1034f

MALICIOUS

PDF

139.0 KB Created: 2020-08-30 12:30:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8a56c507b14a5c25fc4bba6a51a87db1 SHA-1: c38852d9195afae19a4c4ba6ccf7bb129ea9b520 SHA-256: aec6012f1fc1034f35cae7e367aa1905f0a23a74e5d5c1f29e9c7bafd3a00e48

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=omg+hindi+movie+full'. This URL is presented within the document body, suggesting a social engineering lure to trick users into clicking it. The file also exhibits characteristics of a link farm, with numerous embedded URLs, further supporting the malicious intent of redirecting users to potentially harmful sites.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=omg+hindi+movie+full
- https://cdn.shopify.com/s/files/1/0431/9015/7474/files/88155611408.pdf
- https://cdn.shopify.com/s/files/1/0454/4793/8206/files/entrusting_this_world_to_idols_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0432/6490/1270/files/nasepojedifewa.pdf
- https://cdn.shopify.com/s/files/1/0428/9436/0743/files/maeby_funke_report_card.pdf
- https://cdn.shopify.com/s/files/1/0432/6175/5547/files/wd_gann_books.pdf
- https://static.usrfiles.com/ugd/865d50_a9a72ef119344be6b5ea2673a58d7569.pdf
- https://static.usrfiles.com/ugd/badafb_fc1b527396c948879cee5df31901dc90.pdf
- https://static.usrfiles.com/ugd/b8c837_ee0d36fb861e4d979eb0f0044a33be40.pdf
- https://static.usrfiles.com/ugd/7dd30d_dabd66922d0c49ccad77dc93d7c0bb30.pdf
- https://cdn.shopify.com/s/files/1/0430/2408/9242/files/11178131459.pdf
- https://cdn.shopify.com/s/files/1/0431/6263/2360/files/23806761195.pdf
- https://cdn.shopify.com/s/files/1/0429/2021/4681/files/53457707051.pdf
- https://cdn.shopify.com/s/files/1/0432/0745/8975/files/bounce_free_and_gentle_dryer_sheets_ingredients.pdf
- https://static.usrfiles.com/ugd/b8c837_fde285ca2f0545b58b282b894a371ec7.pdf
- https://static.usrfiles.com/ugd/b8c837_4ff32f78a12449649dd687e530b692e7.pdf
- https://static.usrfiles.com/ugd/f14cf6_9d1ea0d567da49b1ae0acf05d824d055.pdf
- https://static.usrfiles.com/ugd/efb3f0_d883e0bab10a4b09a44ff45f73da7213.pdf
- https://static.usrfiles.com/ugd/a2c2bc_9c6b971f6e46408b9b8efcbab9a5f1f6.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001d7d6.bin` `16fb4a56ca48aa325794573759e23df321d5d85f5ed7a876b69e4a603fe52cfa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1D7D6	4924 bytes
`font_01_sfnt_off0001e888.bin` `c3db05701cef90f4d4d8d3631500aaeb8e7ae2859a4f021e6a958c4bf9b66759`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1E888	17680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.