PDF malware analysis — malicious · f62dbcd8853cff27

MALICIOUS

PDF

41.5 KB Created: 2020-08-24 15:54:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 933fb809d748adf13190fa55daf43c82 SHA-1: bb03284501448410d06fc0d4305dfdd209f1b5c5 SHA-256: f62dbcd8853cff27caff34e90f0cb317e76c4f2ae4b15d79620c655edbb9cbf2

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a tracking report, aiming to lure users to a malicious site. The document body, though heavily obfuscated, contains the primary malicious URL. The presence of a link farm and visible command execution instructions further indicate malicious intent. The primary malicious URL is https://ttraff.ru/pify?keyword=hmm+tracking+report.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND

Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=hmm+tracking+report
- http://files.flatspokecycles.com/uploads/1/3/1/4/131408529/6549756.pdf
- http://files.ofra-yitzhaki.com/uploads/1/3/0/9/130969754/sogebamopepek.pdf
- http://mojabuz.landscapegardenerscamberley.co.uk/uploads/1/3/1/4/131483245/lebajojom.pdf
- https://cdn.shopify.com/s/files/1/0429/6690/9081/files/70444874444.pdf
- https://cdn.shopify.com/s/files/1/0461/8148/2649/files/ritan.pdf
- https://cdn.shopify.com/s/files/1/0435/0060/1504/files/tasumosigivulofuzibomajuw.pdf
- https://cdn.shopify.com/s/files/1/0430/8625/0137/files/hallelujah_piano_sheet_with_letters.pdf
- https://cdn.shopify.com/s/files/1/0431/2884/8538/files/82903811964.pdf
- https://cdn.shopify.com/s/files/1/0431/3792/5281/files/biwizukoravaworulote.pdf
- https://cdn.shopify.com/s/files/1/0434/1828/8284/files/free_editable_infographic_template.pdf
- https://cdn.shopify.com/s/files/1/0432/4609/2443/files/alex_viada_training_program.pdf
- https://cdn.shopify.com/s/files/1/0436/2013/9170/files/cmd_hack_codes_list.pdf
- https://cdn.shopify.com/s/files/1/0437/2915/8295/files/44153728678.pdf
- https://cdn.shopify.com/s/files/1/0432/0952/3355/files/81722848320.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005571.bin` `eca1908c5d0cdc404335466fe2a93b135a1790be723c31ceaabc9797bf44b1b8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5571	4856 bytes
`font_01_sfnt_off000065c6.bin` `b4bd604146f29f24fa0649512b24eb56929cf905eac63adfd4c17b745ecb48cc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x65C6	11484 bytes
`font_02_sfnt_off00008b8f.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8B8F	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.