PDF malware analysis — malicious · c621ef53cbcb2d34

MALICIOUS

PDF

55.7 KB Created: 2020-08-23 00:48:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3cfc903bba910a5f51cbac46e7309d58 SHA-1: 6f31cabef229131668d49ba3955abfade7e1ca68 SHA-256: c621ef53cbcb2d34aad508d31238e1a02e467c0ab2e01e04ea63d355d7356e94

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a technique often used for SEO poisoning or redirecting users to malicious sites. One prominent URL, 'https://ttraff.ru/pify?keyword=cleaning+services+contract+word+template', is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting an attempt to disguise malicious content as a legitimate contract template. The presence of multiple Shopify links, while some are benign, contributes to the overall link farm characteristic.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=cleaning+services+contract+word+template
- http://rawime.sheepprogram.com/uploads/1/3/0/7/130776334/1322385.pdf
- http://direbaka.ysk-chb.com/uploads/1/3/1/4/131406676/tamazemowesojimidal.pdf
- http://files.giovannisdesigns.com/uploads/1/3/1/3/131380292/dunexebabi.pdf
- http://mizirib.grinnellcecbucketcourses.org/uploads/1/3/1/1/131163590/1500684.pdf
- https://cdn.shopify.com/s/files/1/0433/2650/5128/files/xowiwatuzewipaxewuk.pdf
- https://cdn.shopify.com/s/files/1/0431/5326/0701/files/bhagavathi_tamil_movie_hd.pdf
- https://cdn.shopify.com/s/files/1/0436/8980/3941/files/zozozanojisedegibuxola.pdf
- https://cdn.shopify.com/s/files/1/0433/1628/1512/files/78729259133.pdf
- https://cdn.shopify.com/s/files/1/0432/5366/1851/files/zununepebuz.pdf
- https://cdn.shopify.com/s/files/1/0431/8992/8099/files/mexiwapidiw.pdf
- https://cdn.shopify.com/s/files/1/0430/6341/0845/files/moulin_rouge_elephant_love_medley.pdf
- https://cdn.shopify.com/s/files/1/0430/8631/5682/files/71006344742.pdf
- https://cdn.shopify.com/s/files/1/0433/3892/4181/files/meme_creator_and_templates_tamil.pdf
- https://cdn.shopify.com/s/files/1/0433/7061/0851/files/17464222830.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000913e.bin` `a17885b4fd577e0298a64705d5055d2ac7c2363fd7008e9cf236b3df412a17d8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x913E	2828 bytes
`font_01_sfnt_off00009b38.bin` `3571692eb0ebd6b933eee611a1f36f3ea3c714ca3577e0f598429a2f9cb5ec4c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9B38	5452 bytes
`font_02_sfnt_off0000adbf.bin` `55b638b1670b0636dcce8cbc7d415f8ccedc6e2041442d8184ef538a027b0020`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xADBF	10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.