PDF malware analysis — malicious · c56795a9b910c267

MALICIOUS

PDF

48.3 KB Created: 2020-08-07 03:04:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8790d0f823b9c513539b31e75759d27b SHA-1: 9e3dcddf37e9e85d641f6c868280681ab0a1c8ae SHA-256: c56795a9b910c2671961853963e9a5905010b1608df67ccb4e35b80d750ceee9

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, many of which point to a redirector service (ttraff.ru) that is flagged as malicious. The document body and embedded links suggest a lure related to saving web pages to PDF on Android, likely intended to trick users into visiting malicious sites. The presence of a large number of external links, many hosted on Shopify, indicates a link farm or SEO poisoning attempt to drive traffic to the malicious redirector.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=save+web+page+to+pdf+android
- http://files.gypsyrebeldesigns.com/uploads/1/3/2/3/132303248/vevesubomavifuda.pdf
- http://files.nathonkelley.com/uploads/1/3/1/3/131398139/f050bef1d9b19.pdf
- http://files.naturalcoach.com/uploads/1/3/1/3/131379439/bojota-zipirejowirol-pelenat-pejojetedur.pdf
- https://cdn.shopify.com/s/files/1/0432/0123/3053/files/82500846256.pdf
- https://cdn.shopify.com/s/files/1/0429/1588/9305/files/47457922065.pdf
- https://cdn.shopify.com/s/files/1/0434/2539/8946/files/gitub_host_webpage.pdf
- https://cdn.shopify.com/s/files/1/0433/2254/0185/files/sevulovolupimilodig.pdf
- https://cdn.shopify.com/s/files/1/0440/4540/2277/files/abbreviations_and_acronyms.pdf
- https://cdn.shopify.com/s/files/1/0432/7833/6165/files/zelagegelixan.pdf
- https://cdn.shopify.com/s/files/1/0440/7430/3640/files/negative_exponents_worksheet_kuta.pdf
- https://cdn.shopify.com/s/files/1/0438/5944/3862/files/zenimil.pdf
- https://cdn.shopify.com/s/files/1/0447/9621/5456/files/ff14_act_overlays.pdf
- https://cdn.shopify.com/s/files/1/0431/0820/4704/files/92592129567.pdf
- https://cdn.shopify.com/s/files/1/0437/2919/1066/files/batten_wiring.pdf
- https://cdn.shopify.com/s/files/1/0434/2621/8136/files/37188977097.pdf
- https://cdn.shopify.com/s/files/1/0428/3206/8775/files/55481656009.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064e3.bin` `4f1a32785014d55e771d31d05fbffbb0eec8f5d543aad9a9b2bb8e4813b2ae09`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64E3	5392 bytes
`font_01_sfnt_off00007760.bin` `7b3137bc25bba278ec5a491da815c7a7f62206916adcba958a9158deec0be823`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7760	9800 bytes
`font_02_sfnt_off00009924.bin` `451a04ecd6583c77ab05b3baf2e27f9da5396c39c241778da41488cdbd5211a8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9924	17892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.