PDF malware analysis — malicious · f47e2b6dd9dd4ca0

MALICIOUS

PDF

122.9 KB Created: 2020-08-23 16:49:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 92cc3dc902b1917a02957b00bca442bf SHA-1: a16dd6ccd1abf36f270c0421acd046c532ba466f SHA-256: f47e2b6dd9dd4ca0395246196a61ada501acac88814555897d45ad5cf7fdb160

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with a critical heuristic firing indicating it points to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to bacteria and a URL that appears to be part of a link farm. The primary malicious URL identified is https://ttraff.ru/pify?keyword=does+bacillus+subtilis+form+spores, which is likely used to redirect users to further malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=does+bacillus+subtilis+form+spores
- http://files.zelementclub.com/uploads/1/3/1/8/131872149/risamelowego.pdf
- http://fujis.postmarkrecords.com/uploads/1/3/1/6/131606624/lowivamolukawaka.pdf
- https://cdn.shopify.com/s/files/1/0431/9212/3554/files/mojifoxaguva.pdf
- https://cdn.shopify.com/s/files/1/0435/1708/3803/files/vilofo.pdf
- https://cdn.shopify.com/s/files/1/0435/8628/9832/files/cdisc_controlled_terminology.pdf
- https://cdn.shopify.com/s/files/1/0428/0621/4819/files/removing_metadata_from.pdf
- https://cdn.shopify.com/s/files/1/0431/2930/7293/files/wurunulatananu.pdf
- https://cdn.shopify.com/s/files/1/0439/4464/0667/files/prodigy_level_hack.pdf
- https://cdn.shopify.com/s/files/1/0429/1087/5815/files/pukekevobifat.pdf
- https://cdn.shopify.com/s/files/1/0432/2964/2916/files/cessna_152_instrument_panel.pdf
- https://cdn.shopify.com/s/files/1/0432/0549/2904/files/66215429336.pdf
- https://cdn.shopify.com/s/files/1/0437/3646/5559/files/55556276715.pdf
- https://cdn.shopify.com/s/files/1/0430/7936/8858/files/angular_6_format_datetime.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000183ec.bin` `6463c68da6f948eecf9e9bd706594416145d2eb083f9b506660f0dae1625b79d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x183EC	5076 bytes
`font_01_sfnt_off0001952d.bin` `3a6d895f051723aadf2ba9ff437e1d401fd421f3767666f688f1e37ce9734361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1952D	10952 bytes
`font_02_sfnt_off0001bac0.bin` `ebaa9d42c58e3fd25c8264bcf4ef2319fee467c92cf53dcc1f377a20fc8d39b0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1BAC0	16148 bytes
`font_03_sfnt_off0001cfb8.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1CFB8	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.