PDF malware analysis — malicious · c3fe70f186f357a2

MALICIOUS

PDF

41.6 KB Created: 2020-08-22 13:40:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 76fd9be4a4f52ee4974474f7b689a54c SHA-1: a6e9bf7e0802afc38f0180a0a4dd2bc3a92f813d SHA-256: c3fe70f186f357a28a2dfdffa94cc9d3454188274578d907e7e2288c9a10dd6e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm for SEO poisoning. One critical heuristic firing indicates a direct link to a known malicious redirector, ttraff.ru, which is further obfuscated within the document body. This redirector likely serves as a gateway to malicious content, aiming to deceive users into downloading further malware or visiting phishing sites. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=cpm+geometry+chapter+5+test+answers
- http://files.bigrapidsdriving.org/uploads/1/3/1/8/131856285/fafixi_rekaxunokawi.pdf
- http://files.whitesfolly.com/uploads/1/3/1/4/131408537/venoberabifunas.pdf
- http://nizisuda.runwaylink.com/uploads/1/3/0/7/130776265/letuvujived_nufinovaxezi_toxagezexibuj_gusojaju.pdf
- http://pebidaj.atlanticbooking.com/uploads/1/3/2/3/132302870/2522450.pdf
- http://files.dreamcatcherassociation.com/uploads/1/3/1/6/131637135/beninudisakokaw-sojaronume.pdf
- https://cdn.shopify.com/s/files/1/0434/1992/6679/files/weguposez.pdf
- https://cdn.shopify.com/s/files/1/0446/9637/1356/files/76845199893.pdf
- https://cdn.shopify.com/s/files/1/0433/4629/6982/files/gezijagejitizojufudesuvu.pdf
- https://cdn.shopify.com/s/files/1/0432/0660/7012/files/dinadofobi.pdf
- https://cdn.shopify.com/s/files/1/0438/2192/4514/files/nibulikavevunolagixerakil.pdf
- https://cdn.shopify.com/s/files/1/0428/8770/8825/files/92540607851.pdf
- https://cdn.shopify.com/s/files/1/0429/8165/4679/files/27832938029.pdf
- https://cdn.shopify.com/s/files/1/0438/0554/0509/files/zuvuxekagulefotoxuguxaz.pdf
- https://cdn.shopify.com/s/files/1/0432/7846/7222/files/17200494957.pdf
- https://cdn.shopify.com/s/files/1/0431/7180/7381/files/teen_punished_fucked.pdf
- https://cdn.shopify.com/s/files/1/0430/1992/7713/files/70846025521.pdf
- https://cdn.shopify.com/s/files/1/0435/3510/6207/files/jofasa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000061a7.bin` `55f15dd3e9b4fb8b169d74b7357dc669a32a8bcfa82b55a2d45eff44796cf887`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x61A7	5540 bytes
`font_01_sfnt_off00007475.bin` `e67bc6cca7fe45255acc8d1cc131157bb92c72b50c1d97b170028f88223c9610`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7475	10828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.