PDF malware analysis — malicious · fcd3b1f735eb796e

MALICIOUS

PDF

44.2 KB Created: 2020-07-27 08:42:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9c6774d1f5625e938a7bd0a4398520ab SHA-1: 5c5d133b1a81220f231b1ed7cb3f751800453fe2 SHA-256: fcd3b1f735eb796e95b838da825f229348d831dfdb403c26adc4fa3fad88a761

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious Link T1566.002 Spearphishing Attachment T1059.003 Windows Command Shell

The PDF contains a large number of embedded links, many pointing to Shopify domains, suggesting a link farm or SEO poisoning tactic. One critical heuristic indicates a link to a known malicious redirector at 'ttraff.ru'. Another heuristic suggests the document instructs the user to interact with command-line tools, likely to facilitate further malicious activity. The document body is heavily obfuscated and does not provide clear textual content for analysis.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=autocad+electrical+tutorial
- http://files.hinchinbrookresearch.com/uploads/1/3/1/3/131383318/befudexona.pdf
- http://files.mauriceshapero.com/uploads/1/3/2/6/132681201/jobov.pdf
- http://files.printpastelandpaint.com/uploads/1/3/2/6/132681560/ae9aac77.pdf
- http://files.mauriceshapero.com/uploads/1/3/2/6/132
- https://cdn.shopify.com/s/files/1/0432/6237/8152/files/60414460070.pdf
- https://cdn.shopify.com/s/files/1/0429/4131/7276/files/75738972649.pdf
- https://cdn.shopify.com/s/files/1/0431/6148/5471/files/84632372369.pdf
- https://cdn.shopify.com/s/files/1/0436/0844/0990/files/jisevifibegu.pdf
- https://cdn.shopify.com/s/files/1/0427/8488/2844/files/3087093398.pdf
- https://cdn.shopify.com/s/files/1/0432/7096/3350/files/xudor.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/17612659915.pdf
- https://cdn.shopify.com/s/files/1/0437/0094/5048/files/34174091074.pdf
- https://cdn.shopify.com/s/files/1/0430/6921/0773/files/85267805383.pdf
- https://cdn.shopify.com/s/files/1/0435/1347/9320/files/gazawe.pdf
- https://cdn.shopify.com/s/files/1/0436/7400/9753/files/sowit.pdf
- https://cdn.shopify.com/s/files/1/0429/6104/3605/files/dufetenafafowevege.pdf
- https://cdn.shopify.com/s/files/1/0429/0831/9907/files/bamomiwagivexoponiw.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000071e3.bin` `876359adb5ed041008a9d609749734664067dc8bbc96536593cf4f8249717444`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71E3	4520 bytes
`font_01_sfnt_off00008149.bin` `e587bc549367549b60a486ee86687a747586cd9db3dddcb3540c375295dc8e41`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8149	9900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.