PDF malware analysis — malicious · dbe170ea4671de34

MALICIOUS

PDF

44.8 KB Created: 2020-08-30 15:57:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 75bb57836c67c60ad7333e38c77e5ef2 SHA-1: a599efbded4df1b625996894d61a2b024f16d2c1 SHA-256: dbe170ea4671de34bf82fd49d6d04fc02c3795cf0dfef0cdc92486e6da5998ed

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=ciencias+naturales+3+primaria'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on Shopify. The document body, though heavily obfuscated, contains the same malicious URL and a benign-looking PDF link, suggesting a lure to trick users into clicking the malicious link. The file's purpose appears to be redirecting users to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=ciencias+naturales+3+primaria
- https://cdn.shopify.com/s/files/1/0430/8385/8073/files/likatuxomivajiguva.pdf
- https://cdn.shopify.com/s/files/1/0433/0012/6880/files/luxury_travel_guide_global_awards.pdf
- https://cdn.shopify.com/s/files/1/0428/2603/9463/files/vufigabedof.pdf
- https://static.usrfiles.com/ugd/3aca14_24e524bcec5a4be1828e5f6313003530.pdf
- https://static.usrfiles.com/ugd/b8c837_758c2b7f06cc41bfa13a33e69335c60d.pdf
- https://static.usrfiles.com/ugd/b8c837_8028f4da2d2a46c0b3c7dbafc63859d9.pdf
- https://static.usrfiles.com/ugd/dc98cc_c49b76470fcc4a9c85dcbfb71fdda611.pdf
- https://static.usrfiles.com/ugd/217d68_dd282f523c5e421a965cde8727822c24.pdf
- https://static.usrfiles.com/ugd/6924eb_9399dabe50e340afa1bf6473e778b285.pdf
- https://static.usrfiles.com/ugd/b8c837_7c8334de11cb427abfe117f3087708ba.pdf
- https://static.usrfiles.com/ugd/55cc32_038d801e22b346b1bfceea9832d2010c.pdf
- https://static.usrfiles.com/ugd/b8c837_d2709baaf22c43938472f80dc81ba666.pdf
- https://static.usrfiles.com/ugd/b8c837_e4b7d39b72a64b3a9ebd791606d268f6.pdf
- https://static.usrfiles.com/ugd/b8c837_3660a2cb9bf04d14a9ef227cb72b6c90.pdf
- https://static.usrfiles.com/ugd/b8c837_4622dc215d2e4f94b6f89ab7e5d0f771.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005dd7.bin` `2ce5a7286efefc5aae27ce1c31b3347e159d00bd30cf97f509a0b7f7d49caffb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5DD7	6440 bytes
`font_01_sfnt_off00006dcc.bin` `f0e65b31737991fe697992e6fd8396f3f07a3a44b65b73a10d5418a51767f381`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DCC	5148 bytes
`font_02_sfnt_off00007f2b.bin` `183ce8f16503387befe88332a30c4b39a881218d822d88eeedcfa574a0297fc4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F2B	11656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.