PDF malware analysis — malicious · e3ce3386f9fa0adc

MALICIOUS

PDF

43.4 KB Created: 2020-08-30 12:55:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 459a4150ace50adcaa02c89bc9279954 SHA-1: 9037a8ec967ecc3b7e8806be85093689b7c7dd46 SHA-256: e3ce3386f9fa0adc915a8ab385346403d35cc8353fe98f3e40aa7b8f4be8ed1a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, which is a common tactic for delivering malware or phishing pages. The document body, though heavily obfuscated, contains text related to 'Gta türk hileleri' and the malicious URL, suggesting a lure for game-related cheats. The presence of a large number of embedded links to Shopify, while many are benign, indicates a link farm strategy, likely to improve SEO for the malicious redirector. No scripts were extracted, but the PDF structure and embedded links strongly suggest a malicious redirection attempt.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=gta+t%25C3%25BCrk+hileleri
- https://cdn.shopify.com/s/files/1/0432/0709/8529/files/zebelaso.pdf
- https://cdn.shopify.com/s/files/1/0432/3124/8542/files/27424603183.pdf
- https://cdn.shopify.com/s/files/1/0447/9510/1345/files/witolo.pdf
- https://cdn.shopify.com/s/files/1/0429/5835/6639/files/gojosix.pdf
- https://cdn.shopify.com/s/files/1/0431/4251/2802/files/wowefolik.pdf
- https://cdn.shopify.com/s/files/1/0431/7983/5547/files/62661968192.pdf
- https://cdn.shopify.com/s/files/1/0438/4745/0774/files/35722316705.pdf
- https://cdn.shopify.com/s/files/1/0454/2785/1422/files/83887003158.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/sobobubujuwin.pdf
- https://static.usrfiles.com/ugd/c836c3_b652c41a51dd4afc9a25a9e789bdf897.pdf
- https://static.usrfiles.com/ugd/b8c837_41310221f81c48ce8a5205191e977e42.pdf
- https://cdn.shopify.com/s/files/1/0464/4909/8920/files/cryptography_and_network_security_so.pdf
- https://cdn.shopify.com/s/files/1/0436/9167/1705/files/33344906195.pdf
- https://cdn.shopify.com/s/files/1/0433/9105/8070/files/bsc_2nd_year_chemistry_syllabus_2019.pdf
- https://cdn.shopify.com/s/files/1/0433/7513/2824/files/acrobat_professional_free.pdf
- https://cdn.shopify.com/s/files/1/0437/1339/6901/files/medical_terminology_for_health_professions_workbook_answers.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000069a1.bin` `9175864db2f4548e00d084d89660679e664e618f8a934a5ea353a54199113faa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x69A1	4812 bytes
`font_01_sfnt_off000079c7.bin` `490be97367bca450982e4e769719e30b522a6d7fc03b35e680dd18c705eeed4b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79C7	12024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.