PDF malware analysis — malicious · dbec2907c250ea5a

MALICIOUS

PDF

42.6 KB Created: 2020-08-12 02:05:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5a16afd64173a670b983a74ffd2630fd SHA-1: 5016d83537c3036f6d10882cd526f137c8b45e1f SHA-256: dbec2907c250ea5ad4fbcf7b7f8092838bad65b2ec7928e828d36271f263593e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with a critical heuristic firing for a malicious redirector link. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/pify?keyword=como+aprender+coreano+pdf', which is flagged as malicious. This indicates the document's primary purpose is to redirect users to malicious sites, likely for further exploitation or phishing.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=como+aprender+coreano+pdf
- http://files.pro-mx.com/uploads/1/3/1/4/131482962/lepezo_vositotuvil.pdf
- http://files.boldexpressionsco.com/uploads/1/3/2/7/132741535/6950420.pdf
- http://files.oakleyboycott.com/uploads/1/3/0/7/130776861/c7884ab2cd93e4.pdf
- http://files.jeecontentandcopy.com/uploads/1/3/1/6/131606819/2afeddf268.pdf
- http://lekanipe.wgct.org/uploads/1/3/2/7/132710507/tebisadegir_durelep_bajixoji_limuzojimoxilif.pdf
- https://cdn.shopify.com/s/files/1/0433/7028/3166/files/daigremontiana_kalanchoe_aranto.pdf
- https://cdn.shopify.com/s/files/1/0430/7792/7072/files/nodagesexadinojovizasapo.pdf
- https://cdn.shopify.com/s/files/1/0433/7300/2906/files/72923961722.pdf
- https://cdn.shopify.com/s/files/1/0431/7492/0347/files/sepix.pdf
- https://cdn.shopify.com/s/files/1/0435/9464/5663/files/ediacaran_extinction_and_cambrian_explosion.pdf
- https://cdn.shopify.com/s/files/1/0437/0546/7035/files/63138175462.pdf
- https://cdn.shopify.com/s/files/1/0434/2992/0930/files/80405207643.pdf
- https://cdn.shopify.com/s/files/1/0431/8032/7076/files/luvubanizonom.pdf
- https://cdn.shopify.com/s/files/1/0433/0084/7780/files/wits_bsc_computer_science.pdf
- https://cdn.shopify.com/s/files/1/0436/1283/1907/files/80637605263.pdf
- https://cdn.shopify.com/s/files/1/0429/7188/9815/files/61488176738.pdf
- https://cdn.shopify.com/s/files/1/0429/5101/6601/files/23295884527.pdf
- https://cdn.shopify.com/s/files/1/0433/8309/5459/files/69342060164.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006697.bin` `1588c1810ab07528aab44dd7c322a7c9a4b159e7558f5f4334712abb19a49df9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6697	4996 bytes
`font_01_sfnt_off0000777a.bin` `1a5c0e007a3e6dd7dc101c256f04915f9becf91847711c4d6840c855e3598931`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x777A	11352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.