PDF malware analysis — malicious · b70632383c9fa2d7

MALICIOUS

PDF

46.1 KB Created: 2020-08-30 13:26:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 62944712a5d98930920a3eb81598bdd2 SHA-1: 6961e9c2ca17e8fe54315facff066c0a3a02ecfa SHA-256: b70632383c9fa2d757f7a20c3504de93ae26c7a9d0adcab3021421aec762e271

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of numerous embedded links, a common tactic for distributing malware or leading users to phishing sites. One critical heuristic firing indicates a PDF link to known malicious redirector infrastructure, specifically 'https://ttraff.ru/wix?keyword=la+peste+camus+pdf'. Another heuristic identified a large number of external PDF links, with 'https://cdn.shopify.com/s/files/1/0434/8510/2237/files/pumolirelufisaregalu.pdf' being the first listed. The document body contains garbled text but includes the same malicious URL, reinforcing the attack vector.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=la+peste+camus+pdf
- https://cdn.shopify.com/s/files/1/0434/8510/2237/files/pumolirelufisaregalu.pdf
- https://cdn.shopify.com/s/files/1/0434/6295/1062/files/avrdudess_2._2.pdf
- https://cdn.shopify.com/s/files/1/0435/9385/9231/files/31558103630.pdf
- https://cdn.shopify.com/s/files/1/0440/0729/3086/files/savurufarumotakijavizanev.pdf
- https://cdn.shopify.com/s/files/1/0431/0922/0503/files/escala_cromatica_de_clarinete.pdf
- https://cdn.shopify.com/s/files/1/0431/6404/1365/files/varadhan_probability_theory.pdf
- https://static.usrfiles.com/ugd/63022f_6be4cc3e81c74f919df7e70a54f883ec.pdf
- https://static.usrfiles.com/ugd/b8c837_ae65c72f6d064772b7a95a571fad0309.pdf
- https://static.usrfiles.com/ugd/b8c837_25bc10c4aeab49bfb623038ca7ad96a6.pdf
- https://static.usrfiles.com/ugd/b8c837_784ab9ff4f1f49e38983d04f34a910e7.pdf
- https://static.usrfiles.com/ugd/b8c837_335e42b09e474ea6aae944e6a41eac6f.pdf
- https://cdn.shopify.com/s/files/1/0431/3009/3728/files/jesodiwerigiluborijogori.pdf
- https://cdn.shopify.com/s/files/1/0437/1218/4474/files/buletogefugomonefopafo.pdf
- https://cdn.shopify.com/s/files/1/0431/8937/1040/files/michelin_guide_hong_kong_bib_gourmand.pdf
- https://cdn.shopify.com/s/files/1/0437/7303/4657/files/lowatoxo.pdf
- https://cdn.shopify.com/s/files/1/0435/7016/7966/files/tezikexi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000071ad.bin` `9b68f2c9b034298e00d1baae0a371e92ab1480a06f49004bed408573a426c210`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71AD	5112 bytes
`font_01_sfnt_off00008306.bin` `3904d4642d9e6004bd32f79bf85d7b4241ea59cf03d32babe10e51b5bb065874`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8306	12584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.