PDF malware analysis — malicious · d81e7c355f420a9b

MALICIOUS

PDF

62.4 KB Created: 2020-08-19 19:20:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 76a73cbfc11d9a06bd64df9f8a197068 SHA-1: 32ff28fc3d1e9b5f50253e35c11e6e7d273296d5 SHA-256: d81e7c355f420a9b22f0713fb794667cd4735a8f056a7bd5e0da6a21016f5ffd

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=royaume+betsimisaraka+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, one of which is 'https://cdn.shopify.com/s/files/1/0434/4017/7308/files/microsoft_office_flyer_template.pdf'. The document body, though heavily obfuscated, contains the malicious URL, suggesting the document's primary purpose is to redirect users to potentially harmful content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=royaume+betsimisaraka+pdf
- http://files.heavygrail.net/uploads/1/3/1/3/131380733/bitat.pdf
- https://cdn.shopify.com/s/files/1/0434/4017/7308/files/microsoft_office_flyer_template.pdf
- https://cdn.shopify.com/s/files/1/0430/4853/4167/files/90944059715.pdf
- https://cdn.shopify.com/s/files/1/0431/1498/7682/files/kodufoxefifet.pdf
- https://cdn.shopify.com/s/files/1/0437/8863/2213/files/bowemodajupiwek.pdf
- https://cdn.shopify.com/s/files/1/0431/3173/2132/files/kukilolimepovimuta.pdf
- https://cdn.shopify.com/s/files/1/0429/8565/2375/files/zodujovukamifulawejovi.pdf
- https://cdn.shopify.com/s/files/1/0431/1249/7313/files/bosexozuzajizewo.pdf
- https://cdn.shopify.com/s/files/1/0434/5757/7122/files/96208694104.pdf
- https://cdn.shopify.com/s/files/1/0447/8844/9437/files/electronics_and_communication_engineering_books_download.pdf
- https://cdn.shopify.com/s/files/1/0431/9815/2866/files/adj_airstream_dmx_bridge_manual.pdf
- https://cdn.shopify.com/s/files/1/0430/4447/0933/files/28046076244.pdf
- https://cdn.shopify.com/s/files/1/0439/7400/0798/files/term_end_report_card_comments.pdf
- https://cdn.shopify.com/s/files/1/0433/2381/8139/files/68259516773.pdf
- https://cdn.shopify.com/s/files/1/0433/9436/7649/files/graphene_tutorial.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a448.bin` `38fe0f9750ba3f5a7cd12f16aa492c321db86c7a99ce450ba2128c93537b7df9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA448	5244 bytes
`font_01_sfnt_off0000b629.bin` `6b54539bcb73e57469a6392e4cfc0ecd956e117e818348943de6fda5c0cb04f4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB629	12860 bytes
`font_02_sfnt_off0000de1c.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDE1C	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.