PDF malware analysis — malicious · e12e8d849f1a7c0b

MALICIOUS

PDF

46.7 KB Created: 2020-08-22 23:01:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6d71579eb7b6c2501d9e906011507d32 SHA-1: 5c861a490f901a65759575a0269fb1b7a1726f22 SHA-256: e12e8d849f1a7c0b9492e85c4bb544105c1918c6f5b15bdc01122acd3394f61d

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to ttraff.ru. The document body, though heavily obfuscated, contains the same URL and a lure related to a 'score card'. This suggests the document is designed to trick the user into clicking the malicious link, likely leading to further compromise. The presence of a large number of external PDF links also indicates a link farm, potentially for SEO poisoning or distributing malicious content.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=mah+mba+cet+2019+score+card
- http://files.smarie94.co.uk/uploads/1/3/1/4/131437878/1725382.pdf
- http://files.stacisstitches.com/uploads/1/3/0/8/130814297/betipekuger_mapojasuxe_dixogen_perefu.pdf
- https://cdn.shopify.com/s/files/1/0430/8477/5577/files/parigepatowaxafi.pdf
- https://cdn.shopify.com/s/files/1/0439/4758/9800/files/donakagodovokore.pdf
- https://cdn.shopify.com/s/files/1/0433/7297/0133/files/pumowonuxomiwumegixivi.pdf
- https://cdn.shopify.com/s/files/1/0437/7152/7319/files/hiring_process_steps_template.pdf
- https://cdn.shopify.com/s/files/1/0430/4899/2919/files/81391615826.pdf
- https://cdn.shopify.com/s/files/1/0431/3687/6695/files/baxavuverivo.pdf
- https://cdn.shopify.com/s/files/1/0428/2892/3046/files/que_es_el_clearance_de_creatinina.pdf
- https://cdn.shopify.com/s/files/1/0433/7047/9768/files/chidinma_kedike_mp4.pdf
- https://cdn.shopify.com/s/files/1/0431/6689/2186/files/nene_ambani_telugu_naa_songs_free.pdf
- https://cdn.shopify.com/s/files/1/0434/9935/6324/files/54251973709.pdf
- https://cdn.shopify.com/s/files/1/0431/5699/6245/files/visazuxisalivununud.pdf
- https://cdn.shopify.com/s/files/1/0429/8915/8554/files/27724765589.pdf
- https://cdn.shopify.com/s/files/1/0432/0532/9064/files/visuxikodi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006efe.bin` `7e5741b135e2c6a7682d880feb81f905707bf668297304d5fa3970d03b597de2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6EFE	5776 bytes
`font_01_sfnt_off00008283.bin` `e6eca57b703f97a8f3e6f33bc7f3a4cbe520a6753968ca00f0f8cbd6d6d89771`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8283	14292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.