PDF malware analysis — malicious · cb370fed44a2c0fb

MALICIOUS

PDF

39.5 KB Created: 2020-08-27 23:15:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 59572122bbf77833c829988774fe1848 SHA-1: f701ac85dcd509490f8388cfbf935f9cc4b10a20 SHA-256: cb370fed44a2c0fbc94a95df3fff3e93bacb29f0e59680ffb63f675018b4c769

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=bccm+form+11', disguised as an invoice or payment form. This lure is intended to trick the user into clicking the link, which likely leads to further malicious content. The PDF also hosts a large number of external links, many hosted on shopify.com, potentially for SEO manipulation or to obscure the malicious redirector.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=bccm+form+11
- http://kejuk.tiftcountysoccer.com/uploads/1/3/1/3/131380591/vowawavabipowe.pdf
- https://cdn.shopify.com/s/files/1/0431/0417/4233/files/academic_example_of_information_literacy.pdf
- https://cdn.shopify.com/s/files/1/0427/6004/4710/files/jegikaxatoxafupibugej.pdf
- https://cdn.shopify.com/s/files/1/0432/8947/7273/files/40208445748.pdf
- https://cdn.shopify.com/s/files/1/0430/0803/2922/files/fazer_assinatura_digital.pdf
- https://cdn.shopify.com/s/files/1/0461/8246/5689/files/fzmovies._net_free_latest_bollywood_hollywood.pdf
- https://cdn.shopify.com/s/files/1/0431/3219/0876/files/africa_map_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0429/3135/5807/files/serusugixi.pdf
- https://cdn.shopify.com/s/files/1/0436/2013/9170/files/12687650241.pdf
- https://cdn.shopify.com/s/files/1/0430/1121/1425/files/togidupezututukavi.pdf
- https://cdn.shopify.com/s/files/1/0429/8981/3909/files/68012473800.pdf
- https://cdn.shopify.com/s/files/1/0433/3184/6296/files/fufuxusagimalu.pdf
- https://cdn.shopify.com/s/files/1/0431/3654/9018/files/manual_da_execuo_araken_de_assis_download.pdf
- https://cdn.shopify.com/s/files/1/0435/7029/9048/files/unitech_cable_tray_catalogue.pdf
- https://cdn.shopify.com/s/files/1/0431/7180/7392/files/antidiabetic_drugs_review.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005c84.bin` `3abb33e1df5547256a5b74c84cae5bbfee5d82570d32ee79032676deb76529fe`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5C84	4708 bytes
`font_01_sfnt_off00006c75.bin` `21e21ed2082e589f2898d5f0683130aa029414d1ae8194e982227da3ec025815`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6C75	10840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.