PDF malware analysis — malicious · b574cfe7d4e21e96

MALICIOUS

PDF

46.8 KB Created: 2020-08-30 21:45:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8091987413f7943d7945e48e0eb291ec SHA-1: c13b51ae67ff63ddba84b46f88d454869e66b22e SHA-256: b574cfe7d4e21e9680b6f111b7bfeb3c7f02ad502866735b50bb68e6a9ddfa36

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=nelson+1865+raintrain+traveling+sprinkler'. This indicates an attempt to lure the user to a potentially harmful site. The document also contains a large number of embedded URLs, characteristic of a link farm, further supporting a malicious intent. No scripts were extracted, but the presence of the malicious redirector is sufficient evidence for this assessment.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=nelson+1865+raintrain+traveling+sprinkler
- https://cdn.shopify.com/s/files/1/0431/0355/1645/files/dezuwududulolonamug.pdf
- https://cdn.shopify.com/s/files/1/0429/1048/2591/files/angulo_de_depresion_ejercicios_resueltos.pdf
- https://cdn.shopify.com/s/files/1/0428/3983/4791/files/diccionario_de_psicologia_gratis.pdf
- https://cdn.shopify.com/s/files/1/0432/6942/3269/files/rexufexegegimilerabiviz.pdf
- https://cdn.shopify.com/s/files/1/0430/7147/1767/files/jukegigetomufe.pdf
- https://static.usrfiles.com/ugd/b8c837_c22b1b2e990942fdb564d53f60248541.pdf
- https://static.usrfiles.com/ugd/b8c837_97d3df522ca3497f83e214402bf74fbb.pdf
- https://static.usrfiles.com/ugd/9ff9b8_03d883fda83a4463a2cdbbd53f1506c8.pdf
- https://static.usrfiles.com/ugd/b8c837_63d74fb18a554f81931d84a70dbeb211.pdf
- https://cdn.shopify.com/s/files/1/0432/1771/5361/files/konawuratomufaziweza.pdf
- https://cdn.shopify.com/s/files/1/0431/2665/3090/files/20444894568.pdf
- https://cdn.shopify.com/s/files/1/0429/6091/2537/files/tufivisaduwimeken.pdf
- https://cdn.shopify.com/s/files/1/0429/7008/7587/files/45169354752.pdf
- https://cdn.shopify.com/s/files/1/0431/5208/1053/files/choices_hack_tool_apk.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000069b0.bin` `e1a587b27d433ea46febe9dd0172dead6fdde34685427a77b75e73f43b8d5e22`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x69B0	5392 bytes
`font_01_sfnt_off00007c1f.bin` `c9ca1dd5089b2a2cd3555e50c8e0e62bbe8b143c9149cd29808dca418989b9ae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C1F	10412 bytes
`font_02_sfnt_off00009fc5.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9FC5	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.