PDF malware analysis — malicious · 1f210e7ed90997aa

MALICIOUS

PDF

57.3 KB Created: 2020-09-01 04:00:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7e263b6683da44e9d603c27e898eda87 SHA-1: c09085ab0def98c7693cece5e3d9a3581c6dfa1e SHA-256: 1f210e7ed90997aa5c8fd916382e6440ef1b1ff388ee297eaba49c9a93135947

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. Additionally, PDF_SEO_LINK_FARM indicates the document contains a large number of external links, likely to manipulate search engine results or distribute malware. The primary malicious URL identified is https://ttraff.com/pify?keyword=html+form+post+to+api. The document body contains garbled text but includes references to the malicious URL and a benign PDF.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=html+form+post+to+api
- https://static.usrfiles.com/ugd/f14cf6_80cffc9c2f2944b6a7507cf54f672178.pdf
- https://static.usrfiles.com/ugd/1f6d71_c6de4dcbd47f459eabb20906c4bb81e7.pdf
- https://static.usrfiles.com/ugd/b8c837_bc3117f1577f416aa34490a5af1601f2.pdf
- https://static.usrfiles.com/ugd/0d002d_805deebb93cf44c085b9c6e5e9b9ba34.pdf
- https://static.usrfiles.com/ugd/b8c837_c95039a698aa4e1893100847d4e8a3c6.pdf
- https://cdn.shopify.com/s/files/1/0438/1330/6530/files/the_other_wes_moore_timeline.pdf
- https://cdn.shopify.com/s/files/1/0465/2456/3614/files/kubota_bx2230_operator_manual.pdf
- https://cdn.shopify.com/s/files/1/0433/5920/7592/files/lafovugi.pdf
- https://cdn.shopify.com/s/files/1/0429/9830/0823/files/www_sipeliculas_com.pdf
- https://cdn.shopify.com/s/files/1/0465/2957/7118/files/atom_platformio-_ide-_terminal.pdf
- https://static.usrfiles.com/ugd/0c4177_c386b0076d1c4796a72c1e8cc8f13c07.pdf
- https://static.usrfiles.com/ugd/2e16aa_064d941c84de4519b2ecc2ab455b7601.pdf
- https://static.usrfiles.com/ugd/b8c837_cdb8c915d5d04509a775216ffb8b7c2c.pdf
- https://static.usrfiles.com/ugd/b8c837_7b12ea54676b4fd69226921cd694a7aa.pdf
- https://static.usrfiles.com/ugd/81d6a4_661045bd46cf472885ae57325a08f2d8.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008787.bin` `e66e4b8bdb743ee2014988e720c28ac99034ec3d1594334231296829f1aefb16`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8787	4672 bytes
`font_01_sfnt_off0000980a.bin` `5590ef6a51c1fddc66f6351621933a277fad70457faed7fa47d816957358b17a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x980A	5008 bytes
`font_02_sfnt_off0000a8f7.bin` `07db0ca5369861af6ff841d8b67883a91ddb976794ba779672cc5d198d1ffbef`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA8F7	14928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.