PDF malware analysis — malicious · d5a03f97e86f7534

MALICIOUS

PDF

43.5 KB Created: 2020-08-24 16:15:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6afb674913af6712e6d2bef65bb29596 SHA-1: b3c4462ff4e969c8a6f89658f1a39fec61f01c8f SHA-256: d5a03f97e86f7534a3fb7cfe61c75f2b9de71ede2a280446218c51ddaf00b0e9

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell T1204.002 Malicious Link: Malicious File

The PDF file contains a large number of embedded links, many of which point to external resources. One critical heuristic firing indicates a malicious redirector link, specifically 'https://ttraff.ru/pify?keyword=impossible+quiz+2+answers+26'. The document body, though heavily obfuscated, also contains this URL, suggesting a lure to trick users into clicking on malicious links. The presence of numerous Shopify-hosted PDF files, while many are benign, suggests a link farm or SEO poisoning technique to improve the ranking of the malicious redirector. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=impossible+quiz+2+answers+26
- http://files.kaufmanautogroup.com/uploads/1/3/0/7/130775639/foxakipa.pdf
- http://files.carriedolan.com/uploads/1/3/0/7/130776864/9017134.pdf
- http://files.dovesembrace.com/uploads/1/3/2/7/132740463/226b2fe89.pdf
- http://files.bandofgypsiesranch.com/uploads/1/3/2/3/132303170/8787153.pdf
- http://losaxuga.salsaon2school.com/uploads/1/3/0/7/130738721/wimapetutedijaxixaj.pdf
- https://cdn.shopify.com/s/files/1/0432/9940/5979/files/24915576453.pdf
- https://cdn.shopify.com/s/files/1/0432/4353/6552/files/golipi.pdf
- https://cdn.shopify.com/s/files/1/0428/7817/3343/files/tinogofudokemawikos.pdf
- https://cdn.shopify.com/s/files/1/0433/8368/5270/files/20156692245.pdf
- https://cdn.shopify.com/s/files/1/0431/2462/1473/files/wimekatowibazodenavo.pdf
- https://cdn.shopify.com/s/files/1/0431/8186/7176/files/rikivejezibizuladu.pdf
- https://cdn.shopify.com/s/files/1/0430/6570/4602/files/latupupadovorifazunuji.pdf
- https://cdn.shopify.com/s/files/1/0430/6855/5415/files/3367783399.pdf
- https://cdn.shopify.com/s/files/1/0430/6341/0845/files/online_flashcard_maker.pdf
- https://cdn.shopify.com/s/files/1/0431/9212/3560/files/11144572984.pdf
- https://cdn.shopify.com/s/files/1/0434/8700/2790/files/49977565847.pdf
- https://cdn.shopify.com/s/files/1/0438/4066/7810/files/11064860071.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006a5a.bin` `8864ad12d5c947fe4d305cb914c4568db9e5c8fd4f267057275e0fc14adce44f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A5A	5596 bytes
`font_01_sfnt_off00007d5c.bin` `e3f0f622e3ff9002e0855589a7ae773cb92779678394d8f7ba66a9b67728131e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D5C	10864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.