PDF malware analysis — malicious · bf0554c1f603826e

MALICIOUS

PDF

42.9 KB Created: 2020-08-12 10:03:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5e528d3f83935c6249e14e6182ef0ff9 SHA-1: 34965c29c93f9d7b8a98f09125e941525f44e5fa SHA-256: bf0554c1f603826e0a91547ea2b9e23fcdbcd1122c8eddfc3d1fbe4dca0c2e66

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=html+to+pdf+api'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with 'https://cdn.shopify.com/s/files/1/0433/3764/6245/files/mepipi.pdf' being one of the first identified. The document body, though heavily obfuscated, contains references to 'html to pdf api' and the authoring application 'wkhtmltopdf', suggesting a social engineering pretext to disguise the malicious redirection. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=html+to+pdf+api
- http://files.crowdedbedcreations.com/uploads/1/3/1/3/131382700/puvoxevotesunuta.pdf
- http://files.ceecentre.com/uploads/1/3/1/6/131606262/b28866ad5.pdf
- http://files.northwestarkansasdistrictfair.com/uploads/1/3/0/7/130775856/9971986.pdf
- http://files.flashbackmarine.com/uploads/1/3/1/1/131164202/5519507.pdf
- https://cdn.shopify.com/s/files/1/0433/3764/6245/files/mepipi.pdf
- https://cdn.shopify.com/s/files/1/0429/8529/1937/files/accords_toltques.pdf
- https://cdn.shopify.com/s/files/1/0432/5664/3739/files/bizixunivizimagajes.pdf
- https://cdn.shopify.com/s/files/1/0432/6716/2276/files/gogilifiwuzenulujetosikaz.pdf
- https://cdn.shopify.com/s/files/1/0431/7039/8372/files/lugelesulotomixa.pdf
- https://cdn.shopify.com/s/files/1/0432/6332/8411/files/dasuzoviviziru.pdf
- https://cdn.shopify.com/s/files/1/0431/0374/8263/files/aditivos_alimentarios_conservantes.pdf
- https://cdn.shopify.com/s/files/1/0437/2201/4870/files/jesibazepuxejokovuroxeve.pdf
- https://cdn.shopify.com/s/files/1/0432/8125/2512/files/xewuzogexot.pdf
- https://cdn.shopify.com/s/files/1/0434/4872/9766/files/39356968748.pdf
- https://cdn.shopify.com/s/files/1/0431/2937/2836/files/best_3ds_emulator_for_pc.pdf
- https://cdn.shopify.com/s/files/1/0431/5843/8056/files/48036048849.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005f81.bin` `332ebd5bbdbd1166e64de1d44eedfed037bfd72c3d5fec28047d794e6f713b87`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F81	4876 bytes
`font_01_sfnt_off00007006.bin` `7d6b5c89ebc3327d6a56520d3e7040e4ef195c932ecc4b46a8d0f9bee3ebc216`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7006	15168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.