PDF malware analysis — malicious · f864434c6a0a20d9

MALICIOUS

PDF

43.5 KB Created: 2020-10-02 00:56:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 79a45e3cda57f187621cd6ec5c66bd4f SHA-1: 32fc69bd7fffcacc495e00f631aa9da3d10d4eb6 SHA-256: f864434c6a0a20d9be283bd9027a6e762ea0789797ab8c7ca93247962a95cb5b

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF document contains a large number of embedded links, many of which point to external PDF files hosted on various platforms. One critical heuristic identified a link to a known malicious redirector, https://gettraff.ru/strik?keyword=minecraft+witchery+vampire+guide, suggesting a phishing or malware distribution attempt. The document body, though heavily corrupted, also contains this URL, reinforcing its role as a lure. The presence of a link farm indicates an attempt to manipulate search engine results or distribute malicious content through a large number of seemingly innocuous links.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gettraff.ru/strik?keyword=minecraft+witchery+vampire+guide
- https://site-1036807.mozfiles.com/files/1036807/pegufezelujan.pdf
- https://site-1036929.mozfiles.com/files/1036929/xovugawanupifoxiwuwo.pdf
- https://site-1037019.mozfiles.com/files/1037019/newira.pdf
- https://site-1038851.mozfiles.com/files/1038851/19478148059.pdf
- http://sizamuw.gogginslonestarfarms.com/uploads/1/3/1/4/131452743/9510401.pdf
- http://files.okuunzen.org/uploads/1/3/2/6/132681450/3398093.pdf
- http://tanapokel.avic2020.org/uploads/1/3/1/4/131453133/9303117.pdf
- http://vemixilev.zygos4art.com/uploads/1/3/2/8/132814928/fekejevajunasa.pdf
- https://uploads.strikinglycdn.com/files/491c3cf0-3f5a-49cd-95cf-a326396be3ef/67908421954.pdf
- https://uploads.strikinglycdn.com/files/9de0b4b9-650c-4b3d-8c8c-787a2cfdb8d9/37900181204.pdf
- https://uploads.strikinglycdn.com/files/e2f8e485-a72f-45a1-adc5-8fa1f493e2ca/bobebezepab.pdf
- https://uploads.strikinglycdn.com/files/f0ce2430-7f38-4b10-8234-c916f50453cb/48928701789.pdf
- https://uploads.strikinglycdn.com/files/a013b015-a433-43bf-a590-92d751f02554/loxizodiw.pdf
- https://uploads.strikinglycdn.com/files/1520c3ce-a1f0-44d3-bc71-9c626f929f0d/mujigimelovedesajes.pdf
- https://uploads.strikinglycdn.com/files/06502603-99ac-4708-8c74-53e90dd51c4b/19514909354.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006b96.bin` `5ee967f201f7f55a7dfe43f50a307e2820169e544ef7665f743982a5210e0af8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B96	5620 bytes
`font_01_sfnt_off00007eba.bin` `0f7cf0887ec18bc3613e34c0b1f982d7f67d56eb47afff088a2a7a6f9a404cd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7EBA	10324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.