PDF malware analysis — malicious · f3586d7ec4b3233e

MALICIOUS

PDF

70.2 KB Created: 2020-08-04 21:12:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7858ec207352d31754626c965513f482 SHA-1: e89c1790e60d6a0307b674fa19d21ee588243f16 SHA-256: f3586d7ec4b3233e68b75af3701b782d8ab3f128970d0965087585a9de527e35

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a redirector hosted on 'ttraff.ru' which is flagged as malicious. The document also functions as a link farm, directing users to numerous PDFs hosted on Shopify, likely to obscure the malicious redirector. The presence of a 'download button' heuristic further supports a lure-based attack. No scripts were extracted, limiting the analysis to the document's structure and embedded links.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=akbar+birbal+stories+in+english+with+moral+pdf
- http://files.sharihuntphotography.com/uploads/1/3/0/7/130740112/kunagezosal_kovixufupurodid.pdf
- http://files.lalocurarock.com/uploads/1/3/1/4/131453034/wekaziginuzuf.pdf
- http://files.rsvpvolunteercaregivers.org/uploads/1/3/2/6/132681824/navate.pdf
- https://cdn.shopify.com/s/files/1/0429/0058/6649/files/sunesimuvij.pdf
- https://cdn.shopify.com/s/files/1/0446/6363/6131/files/bash_rename_file.pdf
- https://cdn.shopify.com/s/files/1/0430/7854/9665/files/91358280397.pdf
- https://cdn.shopify.com/s/files/1/0429/9158/3391/files/pats_price_action_trading_manual.pdf
- https://cdn.shopify.com/s/files/1/0432/5005/7373/files/50994328015.pdf
- https://cdn.shopify.com/s/files/1/0435/8812/4835/files/88180496673.pdf
- https://cdn.shopify.com/s/files/1/0434/0622/9654/files/zunavetosuborume.pdf
- https://cdn.shopify.com/s/files/1/0433/4583/8232/files/87314903585.pdf
- https://cdn.shopify.com/s/files/1/0431/6761/3087/files/dojozowas.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nuruge.pdf
- https://cdn.shopify.com/s/files/1/0429/0691/0887/files/nozanotuwonivoliditum.pdf
- https://cdn.shopify.com/s/files/1/0428/0696/8483/files/47842786406.pdf
- https://cdn.shopify.com/s/files/1/0430/9994/7169/files/kelugosimatoxovazu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d3bc.bin` `7958e07c6021ff0710ad5aba292e8ece533e3ae8f6478ddfc601186f647b380d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD3BC	5740 bytes
`font_01_sfnt_off0000e72c.bin` `37787a61a0eb18c886cc41b223525b6d5af2dbf1bdd8f884efceec7dbda67c96`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE72C	10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.