PDF malware analysis — malicious · e6991d8deb3c6e18

MALICIOUS

PDF

39.9 KB Created: 2020-07-10 03:08:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 896d8809935b802844f06f7a77f1fa63 SHA-1: 1e1f20bf6c93c817537144c54c7ff7ad14cadc4c SHA-256: e6991d8deb3c6e18922a7cc734db7f7ac940654f6a96a36e08c1361adc75484b

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a tactic often used for SEO poisoning or to redirect users to malicious sites. One critical heuristic identified a link to known malicious redirector infrastructure, specifically 'https://ttraff.ru/wb?keyword=jbl%20headphones%20e45bt%20manual'. The document body also contains text related to 'Jbl headphones e45bt manual', suggesting a lure to disguise the malicious links. The presence of a large number of PDF links, many pointing to numeric slugs, further supports the SEO link farm heuristic.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wb?keyword=jbl%20headphones%20e45bt%20manual
- http://files.asifthinkingmatters.com/uploads/1/3/1/3/131383733/8969968.pdf
- http://files.batrssocal.com/uploads/1/3/1/3/131384789/vipibifoxoteroxu.pdf
- http://files.mistletoemagicartisanshow.com/uploads/1/3/1/4/131406614/barevilebo.pdf
- http://files.turkishinstructor.com/uploads/1/3/1/4/131453943/kofutewabafisega.pdf
- http://files.sapritalia.com/uploads/1/3/0/7/130738988/6315467.pdf
- http://files.amychrista.com/uploads/1/3/0/7/130775336/sutilexazutezu.pdf
- http://files.frostphysics.org/uploads/1/3/1/3/131378779/9520446.pdf
- https://luwaliwev220981188.files.wordpress.com/2020/06/xoligitukemor.pdf
- https://wemekuwi606608615.files.wordpress.com/2020/07/zetuwuwupup.pdf
- https://tewuvefo.files.wordpress.com/2020/07/jugebu.pdf
- https://kawinotuz.files.wordpress.com/2020/06/dilawevasadexuwid.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/20659662050.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tanedikefiresemur.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/81667611697.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zupapinited.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/84770620138.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/93434530871.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pawatofamilafal.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000053b7.bin` `3401ec8dfe523c6db8d97c2465c0a06ba4584d2dc9a87e7c17a033521a678f9d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x53B7	5280 bytes
`font_01_sfnt_off00006578.bin` `dcb757bb762a88cb4a846f88ca2eabdc09a93c218876f7437ed902a9734e2a0c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6578	14780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.