PDF malware analysis — malicious · b41cc7d84a76db4e

MALICIOUS

PDF

43.3 KB Created: 2020-08-10 20:55:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 50fb1e2a912fd7d78ff569afee3d56ae SHA-1: f3393734c53b48b7e6df4e5cda41fb1a4c3ed950 SHA-256: b41cc7d84a76db4eebb59eb6327704baa3f32149f326f5cc2fc90a7e7f3e055f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains embedded links that point to a known malicious redirector, ttraff.ru. The document body, though heavily obfuscated, includes the same URL and references 'buzzed game cards pdf', suggesting a lure. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm strategy to obscure the malicious redirector. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=buzzed+game+cards+pdf
- http://jejimutu.literacy-initiative.org/uploads/1/3/1/3/131398020/ce7f46e.pdf
- http://files.townsend-rogers.org/uploads/1/3/1/3/131384025/joxetopelepuwul_zedexefameveru_vefipenekanefo.pdf
- http://files.rickwoodwriter.com/uploads/1/3/0/8/130814636/leporimifojejif.pdf
- https://cdn.shopify.com/s/files/1/0431/6335/3244/files/30577344250.pdf
- https://cdn.shopify.com/s/files/1/0429/0979/4463/files/66858570523.pdf
- https://cdn.shopify.com/s/files/1/0432/0670/5316/files/buboresarijubelakezupaga.pdf
- https://cdn.shopify.com/s/files/1/0431/0525/5577/files/lobebatunemoxi.pdf
- https://cdn.shopify.com/s/files/1/0429/7054/6329/files/byte_of_python_swaroop.pdf
- https://cdn.shopify.com/s/files/1/0431/6243/5739/files/4984771261.pdf
- https://cdn.shopify.com/s/files/1/0431/9831/6707/files/56596342686.pdf
- https://cdn.shopify.com/s/files/1/0440/8908/2006/files/ridipisisuropi.pdf
- https://cdn.shopify.com/s/files/1/0432/4933/6483/files/kawesizab.pdf
- https://cdn.shopify.com/s/files/1/0431/8478/3509/files/xaxelonuvunowefifu.pdf
- https://cdn.shopify.com/s/files/1/0434/0056/0803/files/siluxogutiwobojezi.pdf
- https://cdn.shopify.com/s/files/1/0430/8077/7882/files/nufapalurimaf.pdf
- https://cdn.shopify.com/s/files/1/0434/7353/5138/files/zojagopedutibitawak.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005c65.bin` `7e2622b847b0b5e6dd558e18b8e33454c46dca91ea842b505925410aee4b92ca`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5C65	5080 bytes
`font_01_sfnt_off00006db5.bin` `86fb39764d89e6c82b2ec4c003b2088c2ddeb38a3c67765db209ed61be5088cd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DB5	10816 bytes
`font_02_sfnt_off0000926d.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x926D	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.