PDF malware analysis — malicious · cbd1f6cc4abfde7d

MALICIOUS

PDF

44.3 KB Created: 2020-08-31 00:30:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 47d1c5b7b93a4b554262caa137ce6555 SHA-1: 697ead20c8b6ebe421f840e85f1fe3fc325496af SHA-256: cbd1f6cc4abfde7dd4b33a13d0c63e6c61ddf15433d15ede37843f2c27f2d4f5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to SEO-optimized PDF documents hosted on Shopify. One of these links, https://ttraff.ru/wix?keyword=harvest+maid+dehydrator+nz, is identified as a malicious redirector. This suggests a tactic to drive traffic to malicious infrastructure, likely for further exploitation or phishing.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=harvest+maid+dehydrator+nz
- https://cdn.shopify.com/s/files/1/0428/9665/4489/files/font_caprica_script_personal_use.pdf
- https://cdn.shopify.com/s/files/1/0436/0781/8398/files/geometrical_optics_mcqs.pdf
- https://cdn.shopify.com/s/files/1/0429/2847/2220/files/77509932164.pdf
- https://cdn.shopify.com/s/files/1/0435/9297/4499/files/31958995595.pdf
- https://cdn.shopify.com/s/files/1/0440/0565/4686/files/dragon_ball_xenoverse_2_best_qq_bang.pdf
- https://static.usrfiles.com/ugd/b8c837_530f10c04df940bf961b075022518ad9.pdf
- https://static.usrfiles.com/ugd/f55bec_a02e468caa424ff28c289093b45c24e2.pdf
- https://static.usrfiles.com/ugd/b8c837_93fb442f601d4f1396acf8fe3e42e002.pdf
- https://static.usrfiles.com/ugd/1df9ea_c172be2d3a7c48c68fb91e16f9fef090.pdf
- https://static.usrfiles.com/ugd/3b7182_5f5ddd6aa84e441bbb3e873a223f510f.pdf
- https://static.usrfiles.com/ugd/fef806_866a3a2c39fe4fb191733c8e0ef043aa.pdf
- https://static.usrfiles.com/ugd/b8c837_786df7fde3b647fda9709b813914d8c2.pdf
- https://cdn.shopify.com/s/files/1/0435/7337/9231/files/lavazimesem.pdf
- https://cdn.shopify.com/s/files/1/0428/3462/4679/files/30492703849.pdf
- https://cdn.shopify.com/s/files/1/0430/1609/3849/files/riwijisatajukowunex.pdf
- https://cdn.shopify.com/s/files/1/0432/3000/3355/files/kitchenaid_convection_microwave_manual.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005994.bin` `12e384e28bf6e06152675073a91253a54b725cf1d855e05569dfe89b922c1d97`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5994	1640 bytes
`font_01_sfnt_off000061c0.bin` `8cad393281479d55c1ed1d0cdfa3e80cdca30a2d1d1580fc0697bdf66ef328d0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x61C0	5204 bytes
`font_02_sfnt_off0000735c.bin` `a2b0951da9223dc89ded4a9eb3b5f074f447df48e5710d04648a37b03c204615`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x735C	14960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.