PDF malware analysis — malicious · f771c48a787e5cee

MALICIOUS

PDF

38.1 KB Created: 2020-08-30 20:31:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5129359c011af632e373cf664b53ad72 SHA-1: 6be6729d0a842fa77b017271ef81d05bb32677d4 SHA-256: f771c48a787e5cee0655d3a96d5d35fba33a26c7aea4bd2397c16344fd235bb0

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. This URL is presented in the document body, disguised as a link to a game-related PDF on Scribd. The document also contains a large number of embedded links, many pointing to Shopify, which is flagged as a link farm. The primary malicious URL is likely used to redirect the user to a phishing site or a malware download.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=mordenkainen%2527s+tome+of+foes+pdf+scribd
- https://cdn.shopify.com/s/files/1/0463/5050/0002/files/peliliduwepexutep.pdf
- https://cdn.shopify.com/s/files/1/0430/0275/7281/files/bukupebele.pdf
- https://cdn.shopify.com/s/files/1/0429/5157/3657/files/dimun.pdf
- https://cdn.shopify.com/s/files/1/0440/7784/2584/files/curriculum_guide_in_math.pdf
- https://cdn.shopify.com/s/files/1/0432/2738/1920/files/install_adobe_flash_player_on_android_smartphone.pdf
- https://static.usrfiles.com/ugd/9a242c_51a30fb562164234bf63b29cdc5ec182.pdf
- https://static.usrfiles.com/ugd/ca32a8_9ab98989c2a64a9885b8f0df3bc83471.pdf
- https://static.usrfiles.com/ugd/6a7407_3aa54e2c488e46b6957409a625e45de1.pdf
- https://static.usrfiles.com/ugd/41a0b6_1fbdaa6bc36c451385a0051dfc096815.pdf
- https://static.usrfiles.com/ugd/90423f_281f84a66667461fa0f78e6a67c6c75f.pdf
- https://static.usrfiles.com/ugd/11f207_918112b381ae48c3a6e925f71664fb5d.pdf
- https://static.usrfiles.com/ugd/02beb7_15e5b6f17ef44dd59f0dbdbf6b5fe5e4.pdf
- https://static.usrfiles.com/ugd/4e6dd5_c848b4572e394141aed839ea43e56ee8.pdf
- https://static.usrfiles.com/ugd/764aaa_2ab59cfdc7574e2e8d6bc5fef9ca42e6.pdf
- https://static.usrfiles.com/ugd/784815_1f92f1e00f9f49979df14db051315f87.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000044bc.bin` `c10256c68563cac580a24f3c800117ac1720484a3fa922a2e69a343f568a580f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x44BC	5512 bytes
`font_01_sfnt_off0000576c.bin` `781b71de8b305b31a77054b1cfa69f25f9f08620fa223ca3d056705ae356fdd4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x576C	8792 bytes
`font_02_sfnt_off000075a7.bin` `95bdf1e51c91a347532f4b179d39af09e29107d578526feb1362f61cac632cad`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75A7	16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.