PDF malware analysis — malicious · d2d302c0fa02c677

MALICIOUS

PDF

47.7 KB Created: 2020-07-31 03:30:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 790a183497b5c39391d90e30e6ff2750 SHA-1: 448846ee3a57520e413539883fe7c4f5c2d03183 SHA-256: d2d302c0fa02c6774be7f1851578cf37350aa9545dc8ec8c876e7d9899869bfe

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous links, including one pointing to a known malicious redirector at 'ttraff.ru'. The document body, though heavily obfuscated, suggests a lure related to 'adverbs of frequency pdf explanation'. The presence of a link farm and a redirector indicates an attempt to drive traffic to malicious infrastructure, likely for further exploitation or phishing. The file was generated by wkhtmltopdf, a tool often abused for creating malicious documents.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=adverbs+of+frequency+pdf+explanation
- http://files.allykeast.com/uploads/1/3/0/7/130775653/kukebobegavudu_lanekog.pdf
- http://files.educateteachers.org/uploads/1/3/0/7/130776077/074e4d324.pdf
- http://files.sfpediatricdentistry.com/uploads/1/3/0/7/130738928/faxav.pdf
- http://files.fpcounseling.org/uploads/1/3/0/8/130874627/pefogezen_lurodaf_xemedu.pdf
- http://files.mauiskydiving.info/uploads/1/3/2/6/132695301/seguremobukipob.pdf
- http://files.allykeast.com/uploads/1/3/0/7/130775653/kukebobegavud
- https://cdn.shopify.com/s/files/1/0433/8037/5708/files/68791038113.pdf
- https://cdn.shopify.com/s/files/1/0431/6138/7170/files/82176564371.pdf
- https://cdn.shopify.com/s/files/1/0429/5963/4591/files/dodiwimixevewuxusaw.pdf
- https://cdn.shopify.com/s/files/1/0431/5286/7494/files/dujurebetewedobavu.pdf
- https://cdn.shopify.com/s/files/1/0430/8634/8450/files/26613749798.pdf
- https://cdn.shopify.com/s/files/1/0429/3178/1791/files/kovupofozasekutizuwediten.pdf
- https://cdn.shopify.com/s/files/1/0429/0428/9439/files/72921620839.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/79265304831.pdf
- https://cdn.shopify.com/s/files/1/0433/1841/1417/files/nuxijupuxogujagurefu.pdf
- https://cdn.shopify.com/s/files/1/0429/1103/9655/files/kagekiziradadakemiwi.pdf
- https://cdn.shopify.com/s/files/1/0436/3298/4222/files/90221325465.pdf
- https://cdn.shopify.com/s/files/1/0440/2990/2998/files/sizakapivenolekovenu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000074ae.bin` `b299b83cfe5eb5a327c70fb6e26619b5b2afc164f0f911a4ac460209bcc0d03b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x74AE	5516 bytes
`font_01_sfnt_off00008780.bin` `bd93c0f407787369a553bdf7f1a4b1ab5ed98702a9a027bd6e4d0238c4e1327f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8780	13164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.