PDF malware analysis — malicious · f3baf8b014d1dca2

MALICIOUS

PDF

41.3 KB Created: 2020-08-05 08:00:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3b222764cb1122553a5d0487c1417978 SHA-1: 98f829fb9068efb5ee641fdd07ed51174635bfa2 SHA-256: f3baf8b014d1dca28be43c9c22411691b7cffba87014850318d0bb4c584b22a1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' indicates that the link 'https://ttraff.ru/pify?keyword=pdf+book+app+android' leads to known malicious infrastructure. The 'PDF_SEO_LINK_FARM' heuristic further supports this, noting a mass of external PDF links, many hosted on cdn.shopify.com, suggesting an attempt to manipulate search results or distribute malicious content through a large number of seemingly benign links. The document body itself is heavily obfuscated and contains the malicious redirector URL.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=pdf+book+app+android
- http://files.paulmetcalf.net/uploads/1/3/2/3/132303329/wodat.pdf
- http://files.heymarcomusic.com/uploads/1/3/0/8/130874474/siwoviku_lupumusaxemu.pdf
- http://files.maxiesknitwear.com/uploads/1/3/1/6/131637635/renefusi.pdf
- http://files.jasonkinneyband.com/uploads/1/3/1/4/131407080/29a71a23b1d.pdf
- https://cdn.shopify.com/s/files/1/0428/7637/1110/files/bruskers_guitar_duo.pdf
- https://cdn.shopify.com/s/files/1/0429/0455/1590/files/zajavoperakuju.pdf
- https://cdn.shopify.com/s/files/1/0439/6898/7294/files/crazyfrog_ring_tone.pdf
- https://cdn.shopify.com/s/files/1/0429/7090/6780/files/45924000712.pdf
- https://cdn.shopify.com/s/files/1/0431/5804/4827/files/you_are_using_safe_update_mode.pdf
- https://cdn.shopify.com/s/files/1/0428/5700/5215/files/39379568259.pdf
- https://cdn.shopify.com/s/files/1/0432/9363/8811/files/59071854409.pdf
- https://cdn.shopify.com/s/files/1/0431/5463/6966/files/13480504425.pdf
- https://cdn.shopify.com/s/files/1/0432/6899/7288/files/batabimijive.pdf
- https://cdn.shopify.com/s/files/1/0433/3672/8735/files/77723510613.pdf
- https://cdn.shopify.com/s/files/1/0437/9593/9488/files/custom_discord_invite_link.pdf
- https://cdn.shopify.com/s/files/1/0437/2057/3080/files/dowofolakanulonewaziz.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006464.bin` `60a083df395758822e272674a5ba39bc9dac3be4ef3c792c4c78a964874854d3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6464	5028 bytes
`font_01_sfnt_off00007591.bin` `70fc084d6b4781cf2c3a1263fe8d688a9db18ba7e45ea4e509feca7b95afb48a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7591	10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.