PDF malware analysis — malicious · b33c8ad99be82d42

MALICIOUS

PDF

47.8 KB Created: 2020-08-31 08:56:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 584146468b75130783fc2d6581124663 SHA-1: 536af04bbe4c94c2539c5be43381b82020a63ce8 SHA-256: b33c8ad99be82d427b138c1d97026e1e738242a0973cfa9d913196869a6ff691

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, which points to `https://ttraff.ru/wix?keyword=implement+or+gate+using+nand+gates+o`. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, many of which are hosted on `cdn.shopify.com`. The document body, though heavily obfuscated, contains the same malicious URL and appears to be generated by `wkhtmltopdf`. The primary attack vector is likely social engineering via a deceptive link within the PDF.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=implement+or+gate+using+nand+gates+o
- https://cdn.shopify.com/s/files/1/0435/5093/3155/files/waroxek.pdf
- https://cdn.shopify.com/s/files/1/0430/8893/7120/files/fonajapeje.pdf
- https://cdn.shopify.com/s/files/1/0434/0360/8216/files/52912449539.pdf
- https://cdn.shopify.com/s/files/1/0438/4777/8469/files/the_silent_age_walkthrough.pdf
- https://static.usrfiles.com/ugd/33a2e4_30af46dacd1d4ca6919e40d802aac107.pdf
- https://cdn.shopify.com/s/files/1/0430/7940/1634/files/kopewemubox.pdf
- https://cdn.shopify.com/s/files/1/0434/6766/9654/files/bibifaxokax.pdf
- https://cdn.shopify.com/s/files/1/0432/0106/9220/files/gymnastics_training.pdf
- https://cdn.shopify.com/s/files/1/0440/8072/6168/files/pebewuxamikaweduw.pdf
- https://cdn.shopify.com/s/files/1/0429/4190/7100/files/47482213053.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/meragavafeduxilaxopuxaw.pdf
- https://cdn.shopify.com/s/files/1/0430/0334/7098/files/desowexutijoli.pdf
- https://cdn.shopify.com/s/files/1/0448/4349/9677/files/auckland_downtown_map.pdf
- https://cdn.shopify.com/s/files/1/0433/8984/5654/files/almanak_hkbp_2020.pdf
- https://cdn.shopify.com/s/files/1/0436/0473/8206/files/bitzer_semi_hermetic_compressor_catalogue.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006121.bin` `65d6bdd2040e1245f1100a7719f99197aec2a45f05a4b5d2bedd4b19d40a47de`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6121	5216 bytes
`font_01_sfnt_off000072be.bin` `6fab881ecaae4d012c19d4552729f4f8a12d0a4885414fadbc7c15deaf96fe6c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x72BE	13788 bytes
`font_02_sfnt_off00009d70.bin` `713933360072c9d59346590fad668f98c3603c6d2b72ed941ce85481f6af0b74`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9D70	16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.