PDF malware analysis — malicious · ca685069341f79d2

MALICIOUS

PDF

48.4 KB Created: 2020-08-31 03:08:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3d6b4a4de908f7b26dae0f2740100953 SHA-1: dffdef132b66fe879a26eae8c4a8698543aa6a73 SHA-256: ca685069341f79d2843a3a1e53528ce2a7b51e375738d4e9c00d446f2fe8486e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, including a critical redirector link to 'ttraff.ru', suggesting a phishing or malicious redirection attempt. The document body, though heavily obfuscated, contains the target URL, reinforcing the lure. The presence of multiple embedded links points towards a link farm strategy, likely to obscure the final malicious destination.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=organization+theory+and+design+pdf
- https://cdn.shopify.com/s/files/1/0439/1672/2344/files/bitdefender_antivirus_plus_full.pdf
- https://cdn.shopify.com/s/files/1/0434/3051/0758/files/caste_validity_certificate_online_application_form_download.pdf
- https://cdn.shopify.com/s/files/1/0436/6653/8649/files/lebogodadekizemapeli.pdf
- https://cdn.shopify.com/s/files/1/0429/8126/1466/files/modawukapokojizefekaf.pdf
- https://static.usrfiles.com/ugd/b8c837_6eb6c193ad904bc6abfbbe9ed62d48d8.pdf
- https://static.usrfiles.com/ugd/696b8a_0187be55132b44c4b7c2926fa4c75c13.pdf
- https://static.usrfiles.com/ugd/b8c837_b6d52c594b6346f6a852138a574443f8.pdf
- https://static.usrfiles.com/ugd/345929_c5f1db425c8146b0a8061c6b9ad4b03e.pdf
- https://static.usrfiles.com/ugd/b8c837_c4a474de23234ad19ff6efe174bdf19a.pdf
- https://static.usrfiles.com/ugd/b7082a_d9c78e0da94f460ea3279699e6df7d99.pdf
- https://static.usrfiles.com/ugd/b8c837_ce009ef657864d7f8b0a84db86214aba.pdf
- https://static.usrfiles.com/ugd/5899d5_cd407306f93d4932945e25b1361c8338.pdf
- https://static.usrfiles.com/ugd/b8c837_02e5e937b0104151bfdb0e440bee2fc8.pdf
- https://static.usrfiles.com/ugd/b8c837_6d956ce77f8b44fa80c665f0e1b82399.pdf
- https://static.usrfiles.com/ugd/934fc3_6e93497a78f045c1ba4fc7d84fd27330.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://static.usrfiles.com/ugd/b8c

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064ee.bin` `3f887421e9c700f9a6fe306d2839559c5b7ae0712479445fee285a59f4c70419`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64EE	5452 bytes
`font_01_sfnt_off00007782.bin` `5cc09562bc87575a83b4e02093b76c088d644b74976b5f07a090916f2b295107`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7782	10044 bytes
`font_02_sfnt_off00009a2c.bin` `777ea0033fd2e52a4c5710ced8849c3662d637468619a5a0a9d6ae8d2fc2b77f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9A2C	17516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.