PDF malware analysis — malicious · df22c108c3eb597e

MALICIOUS

PDF

40.7 KB Created: 2020-08-08 19:39:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 872c40ccdae21b16643cb42e2df98f84 SHA-1: 3693c53d4e2a54193391e3704856358388aa3afe SHA-256: df22c108c3eb597e250b499d015f5d323fd161bfa64c36a7a1cf1d8d5137d3c7

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. Additionally, it exhibits a PDF link farm behavior, embedding numerous external links, many hosted on Shopify. The document body, though heavily obfuscated, contains the same URL and text as the redirector's keyword parameter, suggesting a lure to a malicious site. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=primary+auxiliary+verbs+pdf
- http://files.annpopepotter.com/uploads/1/3/1/6/131606186/0dfc029fd463.pdf
- http://files.medicarespecialist.com/uploads/1/3/2/3/132302710/kovogikavonofafup.pdf
- http://files.nalinikrishnankutty.com/uploads/1/3/0/9/130969469/ridorigu-tidajuvini.pdf
- http://linozalo.northernchainspecialties.com/uploads/1/3/2/3/132303230/dolibifivagixe.pdf
- http://files.markhamcitylimos.com/uploads/1/3/1/4/131453256/bfea5.pdf
- https://cdn.shopify.com/s/files/1/0429/3161/7945/files/vuzuz.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tovovowegafakaroseras.pdf
- https://cdn.shopify.com/s/files/1/0430/5243/3557/files/sogizikidikuvotijuguzexiw.pdf
- https://cdn.shopify.com/s/files/1/0431/0378/1013/files/76680825884.pdf
- https://cdn.shopify.com/s/files/1/0431/8865/0142/files/92085567053.pdf
- https://cdn.shopify.com/s/files/1/0440/0968/5157/files/hanuman_chalisa_telugu_with_images.pdf
- https://cdn.shopify.com/s/files/1/0435/4444/5079/files/fojex.pdf
- https://cdn.shopify.com/s/files/1/0430/9604/7783/files/aws_certified_solutions_architect_associate_tutorial.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/31903895201.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/36149341097.pdf
- https://cdn.shopify.com/s/files/1/0429/8014/7359/files/32645232961.pdf
- https://cdn.shopify.com/s/files/1/0432/6971/8182/files/worupetofesaw.pdf
- https://cdn.shopify.com/s/files/1/0430/1779/7785/files/44616256365.pdf
- https://cdn.shopify.com/s/files/1/0438/0295/1842/files/zarirusaz.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006171.bin` `3453a1540b3bbe94b0cf33965e3baed0c50bd381dc248ff5fd1c9fbf76649f99`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6171	5560 bytes
`font_01_sfnt_off00007449.bin` `129316c0717b8e7e97a7f7c5a76dcfe254bed2a5cdffed674d978edfc06ab900`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7449	9796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.