PDF malware analysis — malicious · e76de83028367289

MALICIOUS

PDF

47.6 KB Created: 2020-08-24 06:21:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0fcccabcdc3414b7c549fa0ad69bf3ff SHA-1: 6a620cff60082b53b3c6367d481f4baec2b422f2 SHA-256: e76de83028367289afdd8ac6fe888a429fb09c5ed6119dee6c2e5867ccb5f11b

148 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains multiple embedded links, with a critical heuristic identifying a malicious redirector. The document body text and heuristics suggest a lure impersonating a document signing service, encouraging the user to click a 'download' link. This link, 'https://ttraff.ru/pify?keyword=managed+services+agreement+template', is identified as a malicious redirector. The presence of numerous links to external PDFs, including one hosted on cdn.shopify.com, indicates a link farm strategy, likely to obscure the final malicious destination.

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Document signing service impersonation lure medium SE_DOCUSIGN_LURE

Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=managed+services+agreement+template
- http://files.carlyturro.com/uploads/1/3/2/7/132712545/5516394.pdf
- http://files.denisehibbard.com/uploads/1/3/2/6/132695516/02fa9121d19.pdf
- https://cdn.shopify.com/s/files/1/0431/5712/7336/files/caterpillar_generator_sets_catalogue.pdf
- https://cdn.shopify.com/s/files/1/0434/1468/3813/files/11366875967.pdf
- https://cdn.shopify.com/s/files/1/0444/1587/7287/files/soxitolawa.pdf
- https://cdn.shopify.com/s/files/1/0430/5482/5621/files/79906784890.pdf
- https://cdn.shopify.com/s/files/1/0438/4194/5760/files/57705891259.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/meragavafeduxilaxopuxaw.pdf
- https://cdn.shopify.com/s/files/1/0436/9154/0634/files/pekijajadana.pdf
- https://cdn.shopify.com/s/files/1/0432/5723/3576/files/90095369211.pdf
- https://cdn.shopify.com/s/files/1/0430/8058/1274/files/xurokifules.pdf
- https://cdn.shopify.com/s/files/1/0437/6592/3992/files/80866785123.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007b42.bin` `87b3a25e7ccca88eca5492604e6db3d65be436820b5bbcb32db35b6ca15e8cc5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B42	5460 bytes
`font_01_sfnt_off00008dca.bin` `7e2c04905632f0814fd0a90874b0198d599e43af8cbe780f2c29a06033b43619`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8DCA	10492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.