PDF malware analysis — malicious · b04277f6c6d2fcb7

MALICIOUS

PDF

46.9 KB Created: 2020-07-28 23:02:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 789ca8367b3b843206a79998a8918de4 SHA-1: baaf05c1f124049a54f1f7da4207b1ef369b280c SHA-256: b04277f6c6d2fcb77c0c7747b45dc69b5e571c035b6704d871a297b96e671de0

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=manual+acredita%25C3%25A7%25C3%25A3o+ona+2018'. Additionally, it exhibits characteristics of a link farm, with numerous embedded links, many pointing to Shopify domains. The document body is heavily obfuscated and unreadable, but the presence of the malicious redirector strongly suggests a phishing or malware delivery attempt. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=manual+acredita%25C3%25A7%25C3%25A3o+ona+2018
- http://files.crossroadschurch-aurora.org/uploads/1/3/0/7/130739298/bigedovexawokorusuf.pdf
- http://files.marinapascoe.com/uploads/1/3/2/8/132814589/e4fdf359.pdf
- http://files.inakadojo.org/uploads/1/3/2/6/132696063/9652941.pdf
- http://files.surrenderedtochrist.org/uploads/1/3/0/7/130776483/c00dec987.pdf
- https://cdn.shopify.com/s/files/1/0434/8660/9573/files/74596632096.pdf
- https://cdn.shopify.com/s/files/1/0436/2154/8194/files/64044108338.pdf
- https://cdn.shopify.com/s/files/1/0435/5178/5109/files/47017929210.pdf
- https://cdn.shopify.com/s/files/1/0430/0131/5491/files/walevawedu.pdf
- https://cdn.shopify.com/s/files/1/0429/8942/0695/files/93476319145.pdf
- https://cdn.shopify.com/s/files/1/0431/3061/8011/files/34933490285.pdf
- https://cdn.shopify.com/s/files/1/0437/7722/8957/files/12778655393.pdf
- https://cdn.shopify.com/s/files/1/0429/5586/6263/files/nunifirivezururufig.pdf
- https://cdn.shopify.com/s/files/1/0428/7909/0855/files/dozakupa.pdf
- https://cdn.shopify.com/s/files/1/0429/8568/5153/files/65180211253.pdf
- https://cdn.shopify.com/s/files/1/0429/6006/0567/files/77387703764.pdf
- https://cdn.shopify.com/s/files/1/0436/0667/1517/files/19112606878.pdf
- https://cdn.shopify.com/s/files/1/0437/9744/6816/files/98460888834.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0430/0131/5491/files/walevawedu.pd

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007529.bin` `6dc698c42806f10151ad9cc88944255a98344fd810e0b6e726350523775ddc4e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7529	5664 bytes
`font_01_sfnt_off00008792.bin` `dc2eac9dfeeacd8553dec1b9ae936cd3a89343bd809af49c1f0a6d86386f27f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8792	12124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.