PDF malware analysis — malicious · f8b0b90433c8144e

MALICIOUS

PDF

49.0 KB Created: 2020-08-29 22:58:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7341493a51277a0fa934c2e3675ea7cd SHA-1: 68aefe7c719cc6e85690b1d168d9cfdd45bf84f1 SHA-256: f8b0b90433c8144e54cc6064690456697d61e44adff99deb2ab7ecece47a3ea1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, many hosted on Shopify. The document body, though heavily obfuscated, contains the malicious URL and several benign-looking Shopify URLs, suggesting a lure to a malicious site. No scripts were extracted, but the primary attack vector appears to be social engineering via a malicious link.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=coordinate+plane+graph+paper
- https://cdn.shopify.com/s/files/1/0429/7365/9290/files/sutesifopanekamidodeb.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/35022180152.pdf
- https://cdn.shopify.com/s/files/1/0431/8520/9506/files/66096833129.pdf
- https://cdn.shopify.com/s/files/1/0435/6295/9006/files/44475061548.pdf
- https://cdn.shopify.com/s/files/1/0430/6590/1210/files/xatutu.pdf
- https://static.usrfiles.com/ugd/b52961_638fcfc7541946ec8ead4620da06d2b2.pdf
- https://static.usrfiles.com/ugd/b8c837_e7f2821b128948499859d5dc8850d0dc.pdf
- https://static.usrfiles.com/ugd/f4de5e_bd2746b5940e44d3b66d310f0d4df51d.pdf
- https://static.usrfiles.com/ugd/b8c837_247cd209853c4a25a96d0aec6944b7fd.pdf
- https://static.usrfiles.com/ugd/b8c837_09714c9640e64a18a20a9b21644430a9.pdf
- https://static.usrfiles.com/ugd/b8c837_a811c98b19fb400c9221fc933725b746.pdf
- https://static.usrfiles.com/ugd/b8c837_c8cd22d591d64e009cedc85c9e5d6fd6.pdf
- https://static.usrfiles.com/ugd/b8c837_574a705aa07d4f799105fe34f2ab17ff.pdf
- https://static.usrfiles.com/ugd/26481d_1c16ef1b81cc45229c28df4bfeeae144.pdf
- https://static.usrfiles.com/ugd/b9801a_df493ad7e0834ba5aee58415cead3383.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000075dc.bin` `307595de45bde80640c7de55bd10dd221dbd8aa8897c7fdc77e07998b166358b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75DC	4852 bytes
`font_01_sfnt_off0000864f.bin` `3ffd36ade5b636ade71c9c4dd272cb1e60d085cf29884027bf67cc482d43f034`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x864F	10052 bytes
`font_02_sfnt_off0000a8b8.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA8B8	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.