PDF malware analysis — malicious · f9b3a7bf69527f22

MALICIOUS

PDF

41.7 KB Created: 2020-08-31 03:54:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4eb7ac7bf1259b1d06a96989348acb40 SHA-1: bbabf9f26296df2016ef6a4458d7ee18f4d490b5 SHA-256: f9b3a7bf69527f229a973881cea65872246ea99d63890dc67fa2f369f967b670

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, pointing to 'https://ttraff.ru/wix?keyword=guion+de+spot+de+radio'. Additionally, PDF_SEO_LINK_FARM indicates a mass of external PDF links, with the first being 'https://cdn.shopify.com/s/files/1/0435/2219/5608/files/renitiwonuvalinuxobikuva.pdf'. The document body contains obfuscated text and the redirector URL, suggesting a lure to external malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=guion+de+spot+de+radio
- https://cdn.shopify.com/s/files/1/0435/2219/5608/files/renitiwonuvalinuxobikuva.pdf
- https://cdn.shopify.com/s/files/1/0434/1910/7495/files/the_rise_of_islam_crossword_puzzle_answers.pdf
- https://cdn.shopify.com/s/files/1/0438/1959/7981/files/suvilamaxonogudirebovipa.pdf
- https://cdn.shopify.com/s/files/1/0463/9693/2251/files/67736076727.pdf
- https://cdn.shopify.com/s/files/1/0429/5449/0012/files/31035455164.pdf
- https://cdn.shopify.com/s/files/1/0433/6055/1062/files/89840587147.pdf
- https://cdn.shopify.com/s/files/1/0431/4388/9052/files/office_depot_white_address_label_template.pdf
- https://cdn.shopify.com/s/files/1/0431/8091/6893/files/baixar_livro_as_catacumbas_de_roma_em.pdf
- https://cdn.shopify.com/s/files/1/0435/3690/8439/files/59454102720.pdf
- https://cdn.shopify.com/s/files/1/0428/4622/4551/files/85868816445.pdf
- https://cdn.shopify.com/s/files/1/0430/8346/4855/files/beaglebone_black_wireless_schematic.pdf
- https://cdn.shopify.com/s/files/1/0428/5346/6271/files/megaman_10_wad.pdf
- https://static.usrfiles.com/ugd/a01749_75cb93d522a249dca0760f41f09b5cd4.pdf
- https://static.usrfiles.com/ugd/7ff653_639c19c5580b4c3eb1cbd6f2d6618ab6.pdf
- https://static.usrfiles.com/ugd/93971e_2d690df5d1214235b43c6f804cace92f.pdf
- https://static.usrfiles.com/ugd/ecec20_5997fe1417174b12bd70b4d2c1ab0b31.pdf
- https://static.usrfiles.com/ugd/eb5a6a_e776c67786274ea4b608c1ebad4db4b9.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064f9.bin` `17f956002f6aef64dbb077ef9487ab4d2dee6167476f93018f47dd95ab96572d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64F9	4952 bytes
`font_01_sfnt_off000075dd.bin` `d488a89a9049f7b83862f16c8cc0ef191d1c5674e90e81bab08e49cfb20f9c33`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75DD	10580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.