PDF malware analysis — malicious · e92c33dd82cef06b

MALICIOUS

PDF

38.9 KB Created: 2020-08-07 23:54:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 85c27759520a8f4e360df6078943cf62 SHA-1: 3bcdc6daf593292ef5359b93150d49595c1a7c0c SHA-256: e92c33dd82cef06b475344ecdb16cb9f751bd31353f71b53bace6b66fd36d9ab

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com, and one critical link to a known malicious redirector at ttraff.ru. This indicates a social engineering attempt to drive traffic to malicious infrastructure. The document body itself is heavily obfuscated but contains references to the malicious URL.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=verithanam+keyboard+notes+pdf
- http://files.ourladysyork.org.uk/uploads/1/3/0/7/130738550/3e88fa4dfa4216.pdf
- http://files.egmmsmedia.com/uploads/1/3/1/3/131379680/ec0b578e4ba45.pdf
- http://files.bydesignholistichealth.com/uploads/1/3/1/3/131380263/f90a8d52.pdf
- http://sefiwa.myapptv.com/uploads/1/3/0/7/130739835/6491171.pdf
- http://files.azkillerbeessoftball.com/uploads/1/3/0/8/130874518/jemizip.pdf
- https://cdn.shopify.com/s/files/1/0432/5661/0969/files/munedep.pdf
- https://cdn.shopify.com/s/files/1/0437/7283/8039/files/advantages_of_technology_in_agriculture.pdf
- https://cdn.shopify.com/s/files/1/0428/5808/6559/files/zuvurura.pdf
- https://cdn.shopify.com/s/files/1/0432/3183/8368/files/pilaviwozebenujototedoti.pdf
- https://cdn.shopify.com/s/files/1/0433/3273/1038/files/96784120258.pdf
- https://cdn.shopify.com/s/files/1/0433/4367/5560/files/senizo.pdf
- https://cdn.shopify.com/s/files/1/0432/7990/9028/files/tijefok.pdf
- https://cdn.shopify.com/s/files/1/0440/2325/1094/files/clicker_heroes_android_hack.pdf
- https://cdn.shopify.com/s/files/1/0429/5573/5193/files/ukulele_fingerpicking_patterns.pdf
- https://cdn.shopify.com/s/files/1/0431/4585/5137/files/bafudaputonadesakased.pdf
- https://cdn.shopify.com/s/files/1/0431/1898/5370/files/christian_apologetics_groothuis.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000046b4.bin` `f1a68a109e7b80c089710cf54715e665e22c3f4cacaff0888b7e4c2ff2928008`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x46B4	5520 bytes
`font_01_sfnt_off0000594e.bin` `038beb18e1e7085a3d59c8098935d115c837800d6433811ca4a30faccdef52b7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x594E	9360 bytes
`font_02_sfnt_off00007968.bin` `ead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7968	16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.