PDF malware analysis — malicious · 1a1f7a739b21be1c

MALICIOUS

PDF

51.1 KB Created: 2020-08-29 23:32:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 604d214f4434dc59a679907304a661ae SHA-1: 864c597dbe9ed0bcfae0b40bfe9a978865ce3194 SHA-256: 1a1f7a739b21be1c47f9def2d97a12959b2b79cf6a0e50f528f330f20c48dba6

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link disguised as a download button, which redirects to a known malicious domain (ttraff.com). This suggests a phishing or social engineering attack aimed at tricking users into visiting a malicious site. The presence of numerous other PDF links, many hosted on shopify.com and static.usrfiles.com, indicates a potential link farm or SEO poisoning attempt to distribute malicious content.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=resume+format+for+freshers+medical+officer
- https://cdn.shopify.com/s/files/1/0429/9420/4825/files/mufiwinusule.pdf
- https://cdn.shopify.com/s/files/1/0430/9699/8041/files/hiit_weight_training_program.pdf
- https://cdn.shopify.com/s/files/1/0428/5900/4070/files/62831644041.pdf
- https://static.usrfiles.com/ugd/daca0d_253ef312fb6e48799710f9d06b948628.pdf
- https://static.usrfiles.com/ugd/b8c837_5b2e3296347541adbc8f1a04cf718a93.pdf
- https://static.usrfiles.com/ugd/b8c837_5a2caabb41684b3a81bc8e9d9db780bf.pdf
- https://static.usrfiles.com/ugd/b8c837_e31096bca645476da2cf9c1840b4be8f.pdf
- https://static.usrfiles.com/ugd/ca300b_6230f157bb27471d9eeaad49847ca227.pdf
- https://static.usrfiles.com/ugd/b8c837_a6071401020040e89cf7e0f04e877af2.pdf
- https://static.usrfiles.com/ugd/b8c837_1a58b8b1cfb542448b49b2f8bbbae997.pdf
- https://static.usrfiles.com/ugd/b8c837_bdc34efc87aa42328f72b61516303866.pdf
- https://static.usrfiles.com/ugd/b8c837_492497955d6049b1af9958149695b4b1.pdf
- https://static.usrfiles.com/ugd/b8c837_b8c3f96b8e13470b834a4425a36cae95.pdf
- https://static.usrfiles.com/ugd/b8c837_c4561c2183f94120b0ed500ba06b6d3c.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007f08.bin` `b7f317aa0f29cd34df008dc84d8f376d2685882a57a4a5cd0d86477d0adf885a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F08	2828 bytes
`font_01_sfnt_off00008903.bin` `a5ce4586c8faa871e60a983b3532cc7236caec1dca68f65572d0cbdb833f034b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8903	5268 bytes
`font_02_sfnt_off00009ac7.bin` `52c6dc41323511323ad0897492d6d836e8dee6a9ab8a4b1660779c649c9ae8a3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9AC7	9940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.