PDF malware analysis — malicious · c78167f67634213b

MALICIOUS

PDF

41.0 KB Created: 2020-08-01 21:22:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 83d15d444e437d8eb481688dfeacfa38 SHA-1: ddbe0c970300bc9dd6922bc79e69bdbb25e2556f SHA-256: c78167f67634213ba24b8b26a9dc8984ac3dcfcd2e1e00df9dddf5e5bc472736

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a large number of embedded links, many pointing to Shopify domains, suggesting a link farm for SEO poisoning. One prominent link, 'https://ttraff.ru/pify?keyword=clean+install+high+sierra+apfs', is flagged as a malicious redirector. The document body also contains text that appears to be a lure for users to click on links related to software installation, and a heuristic indicates the document instructs users to copy/paste clipboard content into a shell, further supporting a malicious intent to redirect users to harmful sites.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=clean+install+high+sierra+apfs
- http://files.tsipimani.com/uploads/1/3/1/1/131163736/8896440.pdf
- http://files.portanglers.com/uploads/1/3/1/8/131871614/2432346.pdf
- http://files.yogamuseinc.com/uploads/1/3/1/4/131438203/7aabeadaabc5.pdf
- http://files.oheadhra-mackenzie.com/uploads/1/3/0/7/130776254/981dd610e57.pdf
- http://files.kimberlifreilinger.com/uploads/1/3/2/3/132303320/9141780.pdf
- https://cdn.shopify.com/s/files/1/0430/1471/7597/files/visatomotefi.pdf
- https://cdn.shopify.com/s/files/1/0431/7508/4193/files/nedil.pdf
- https://cdn.shopify.com/s/files/1/0429/6078/1465/files/63531820146.pdf
- https://cdn.shopify.com/s/files/1/0437/6068/1109/files/10282048991.pdf
- https://cdn.shopify.com/s/files/1/0433/1434/8197/files/45469718763.pdf
- https://cdn.shopify.com/s/files/1/0437/8266/8437/files/13964440216.pdf
- https://cdn.shopify.com/s/files/1/0437/9571/0113/files/janizixoked.pdf
- https://cdn.shopify.com/s/files/1/0430/2441/6931/files/jaridi.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/31240515614.pdf
- https://cdn.shopify.com/s/files/1/0434/4945/0661/files/29690570240.pdf
- https://cdn.shopify.com/s/files/1/0430/3293/6605/files/gakurewukifuru.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006314.bin` `14b474a4966c55c9718e7540906574f94c317a8c69871909295a7de13f936f6c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6314	5068 bytes
`font_01_sfnt_off0000744d.bin` `9013b6c333c69de02b0d47135c44a62fac21f060134fc229d0fd8f358691e001`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x744D	10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.