PDF malware analysis — malicious · dee639b2e3ccf190

MALICIOUS

PDF

45.4 KB Created: 2020-08-12 01:48:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 876f129ed3eecc065235f080a2089f6f SHA-1: eb69600b8999fa38c260f5a13a7d7764d574b237 SHA-256: dee639b2e3ccf190e862621fc63f10d8058ab8c841c4ce618ac64c6c96c723da

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to external resources. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.ru/pify?keyword=bhagat+singh+speech+in+english+pdf'. The document body, though heavily obfuscated, also contains this URL and other Shopify-hosted PDF links, suggesting a link farm or SEO poisoning tactic. The primary attack pattern involves luring the user to click the malicious redirector URL, likely leading to further malicious content or exploitation.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=bhagat+singh+speech+in+english+pdf
- http://files.ec7mmea.org/uploads/1/3/1/6/131606859/zixamusamu.pdf
- http://zozap.cyclenewengland.com/uploads/1/3/1/1/131163599/584585b23c2.pdf
- http://files.immaculataschool.org/uploads/1/3/0/9/130969735/4334773.pdf
- http://files.techniquejobs.com/uploads/1/3/1/0/131071067/6984d4e15d.pdf
- https://cdn.shopify.com/s/files/1/0433/1687/1326/files/pl_sql_programming_tutorial.pdf
- https://cdn.shopify.com/s/files/1/0431/8085/1364/files/gegevesibixadudibakedutu.pdf
- https://cdn.shopify.com/s/files/1/0437/9007/4018/files/49438549402.pdf
- https://cdn.shopify.com/s/files/1/0430/5335/1066/files/nominal_ordinal_interval_ratio_examples.pdf
- https://cdn.shopify.com/s/files/1/0431/2003/3943/files/job_application_letter_free_download.pdf
- https://cdn.shopify.com/s/files/1/0430/5181/0969/files/71830855749.pdf
- https://cdn.shopify.com/s/files/1/0429/4891/9450/files/aws_infrastructure_as_code.pdf
- https://cdn.shopify.com/s/files/1/0436/3495/0304/files/24107656772.pdf
- https://cdn.shopify.com/s/files/1/0430/9542/5191/files/84276616899.pdf
- https://cdn.shopify.com/s/files/1/0429/8617/6675/files/public_relations_department.pdf
- https://cdn.shopify.com/s/files/1/0435/8402/8833/files/23637665144.pdf
- https://cdn.shopify.com/s/files/1/0430/7920/5018/files/pafopefe.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000718b.bin` `0dc1377726c933c9036c0685afa92c80095c72e5d172fa4a28893f71a4b2ca94`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x718B	5368 bytes
`font_01_sfnt_off000083cb.bin` `57fef75482a8717a37ae8fbafff6f7882582924624eb44bbc15ddd2d4ce38526`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x83CB	11044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.