PDF malware analysis — malicious · e283a1eb7219faca

MALICIOUS

PDF

51.4 KB Created: 2020-08-21 13:49:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 75969bf8cafd5e62e8f0aa8c15ff9b63 SHA-1: 4bb008d870b335830d4e0116999b85071a3fa1ec SHA-256: e283a1eb7219faca3c7794a505ca70c563812111985c9cf8ccb24cb5bbff99cf

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One of these links, 'https://ttraff.ru/pify?keyword=kendo+ui+dropdownlist+value+template', is flagged as a malicious redirector. The document body, though partially garbled, also contains this URL, suggesting it's a primary lure. The presence of numerous Shopify-hosted PDF links, while individually benign, contributes to the overall SEO-like structure, likely intended to obscure the malicious redirector.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=kendo+ui+dropdownlist+value+template
- http://sejipix.judithahopkins.com/uploads/1/3/1/4/131406202/9701107.pdf
- https://cdn.shopify.com/s/files/1/0431/7272/4897/files/51336292313.pdf
- https://cdn.shopify.com/s/files/1/0434/3355/8168/files/21150152780.pdf
- https://cdn.shopify.com/s/files/1/0431/5689/7947/files/bepuwikamosefurovi.pdf
- https://cdn.shopify.com/s/files/1/0441/0333/6088/files/ligapavumuwol.pdf
- https://cdn.shopify.com/s/files/1/0434/8359/4917/files/78515897403.pdf
- https://cdn.shopify.com/s/files/1/0430/3493/5447/files/puraxetosotavinixugagowe.pdf
- https://cdn.shopify.com/s/files/1/0433/1284/0872/files/15529897516.pdf
- https://cdn.shopify.com/s/files/1/0437/1136/5272/files/belling_oven_owners_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/1662/6082/files/97643038868.pdf
- https://cdn.shopify.com/s/files/1/0429/6799/0438/files/99171159986.pdf
- https://cdn.shopify.com/s/files/1/0430/7392/9378/files/mysql_import_sql_file.pdf
- https://cdn.shopify.com/s/files/1/0437/0425/4615/files/alto_saxophone_lessons.pdf
- https://cdn.shopify.com/s/files/1/0431/8858/4605/files/squarespace_mx_records.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000676c.bin` `cd50a6fddf08ee2488818ae539223952ed5e64b31020472fde6050dec970ff52`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x676C	5224 bytes
`font_01_sfnt_off0000792e.bin` `2b06acabc83c103f45996e017315cb76e3f1c09b7639213d31c46cd7022ad666`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x792E	6520 bytes
`font_02_sfnt_off00008b22.bin` `5ab966c2692d417e5ffe41c91f2f5a3f7c7d2aede9b068d1287336f062d86dd9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8B22	16364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.