PDF malware analysis — malicious · c263a08411f88e0f

MALICIOUS

PDF

64.8 KB Created: 2020-07-16 05:27:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 73f7f310696dd12b815dc8acb7b18027 SHA-1: a1cbd3da7002f063262685d468f3d4a5e5e85885 SHA-256: c263a08411f88e0f2761e66f9b57d8cbb7a737bc6bfc77ba45d6ac56f5dce2ef

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external resources. One of these links, 'https://ttraff.ru/pify?keyword=array+in+c+with+example+programs+pdf', is flagged as a malicious redirector. The document body, though heavily obfuscated, appears to be a lure related to programming examples, likely to trick users into clicking the malicious links.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=array+in+c+with+example+programs+pdf
- http://files.sheuniquephotography.com/uploads/1/3/0/7/130775905/lusenuduvilox-xugomonajaju.pdf
- http://files.blog.rowlisonart.com/uploads/1/3/0/7/130739693/60be5320a.pdf
- http://files.markmilewski.com/uploads/1/3/0/7/130740256/879668.pdf
- http://files.jlsdayton.com/uploads/1/3/0/7/130739062/kusegekopefisazep.pdf
- https://cdn.shopify.com/s/files/1/0429/4760/8730/files/jovudelaxop.pdf
- https://cdn.shopify.com/s/files/1/0431/5689/7947/files/zunijimipinifebome.pdf
- https://cdn.shopify.com/s/files/1/0432/9088/6312/files/gofuveju.pdf
- https://cdn.shopify.com/s/files/1/0428/8957/6601/files/91281413238.pdf
- https://lopojezo.files.wordpress.com/2020/06/sosipiva.pdf
- https://kurupava.files.wordpress.com/2020/06/78125712117.pdf
- https://buverogil.files.wordpress.com/2020/07/tulus.pdf
- https://bafuximafeza467793456.files.wordpress.com/2020/07/13690669020.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/fuwofomakilaxenifotet.pdf
- https://cdn.shopify.com/s/files/1/0433/0127/3758/files/zozorem.pdf
- https://cdn.shopify.com/s/files/1/0432/5117/1478/files/xuziruvikal.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pejolezogumulugadajo.pdf
- https://cdn.shopify.com/s/files/1/0430/9578/5629/files/kanajez.pdf
- https://cdn.shopify.com/s/files/1/0431/1760/9122/files/93576413236.pdf
- https://cdn.shopify.com/s/files/1/0429/4216/9244/files/6061047760.pdf
- https://cdn.shopify.com/s/files/1/0427/8580/0358/files/51834035055.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b2ce.bin` `6af9cef7fcc0108c31e9e4bd4437d344b286dedc5bce66c6d2102834109f39a1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB2CE	5608 bytes
`font_01_sfnt_off0000c5c4.bin` `369ed040b0892e12cacddb2c0917ff8183ca2d92e3bf7be3171b969814d8f835`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC5C4	15356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.