PDF malware analysis — malicious · d3cdee9e9b1d095c

MALICIOUS

PDF

45.1 KB Created: 2020-08-03 07:23:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 482b1c90c004f237de436ff3106d20d3 SHA-1: 44909daa39855c37f8a2a39d22ac8d46cb8e186e SHA-256: d3cdee9e9b1d095c14d11f72e457d0a757b8590b726bfd94d33e06f98bf2c434

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to appear as an operations manual template, directing users to a malicious redirector at https://ttraff.cc/pify?keyword=operations+manual+template. This technique is commonly used to obscure the final malicious destination and evade initial detection. The presence of numerous external PDF links, many hosted on Shopify, suggests a coordinated effort to manipulate search engine results or distribute malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=operations+manual+template
- http://files.plymouthcountyfire.com/uploads/1/3/0/9/130968921/zulubirud-rovupu-milomilu-rowapigitak.pdf
- http://files.csureddies.com/uploads/1/3/0/9/130969710/poxodomojab.pdf
- http://files.calmcradle.com/uploads/1/3/1/8/131856076/kadin-xogapi-widomu-baxowexemitit.pdf
- http://files.drcroes.com/uploads/1/3/2/6/132681201/ac21303.pdf
- http://files.caldermpasociety.com/uploads/1/3/1/0/131070144/bizuniwejero_wamewenizixo.pdf
- https://cdn.shopify.com/s/files/1/0434/0757/3157/files/gujutopesevugapudajanizun.pdf
- https://cdn.shopify.com/s/files/1/0430/1540/5725/files/zopiwobifefab.pdf
- https://cdn.shopify.com/s/files/1/0436/8757/5705/files/53009569312.pdf
- https://cdn.shopify.com/s/files/1/0436/8714/9733/files/how_to_uninstall_utorrent.pdf
- https://cdn.shopify.com/s/files/1/0433/0710/6462/files/bonapalifotugase.pdf
- https://cdn.shopify.com/s/files/1/0431/1734/6965/files/52934704071.pdf
- https://cdn.shopify.com/s/files/1/0432/2266/3331/files/jufisikutopikijitu.pdf
- https://cdn.shopify.com/s/files/1/0429/3351/8489/files/giant_mole_guide_osrs.pdf
- https://cdn.shopify.com/s/files/1/0431/6702/3259/files/puleloseluzuf.pdf
- https://cdn.shopify.com/s/files/1/0447/1826/0377/files/mkv_to_mp4_converter_free.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000584b.bin` `d988b2bc02fd56fba16882554089cb241b46b6846814728f5bba4e828bd73f86`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x584B	5624 bytes
`font_01_sfnt_off00006ba9.bin` `7e67553b19b2d0c1838413d3462cdc4c4f38fd9c4407c0dab7db7f0fe62a79c5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6BA9	4992 bytes
`font_02_sfnt_off00007c83.bin` `a9617a58a6e97aff670927cc3629444373fecab3a5478a3659affe2565fbecf5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C83	13676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.