PDF malware analysis — malicious · 238cacc69015b2a3

MALICIOUS

PDF

44.2 KB Created: 2020-09-05 15:40:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 554b1e0485b6262f5c90a1226a6fa20e SHA-1: 3a4fe51e470f0ec383d6c0fa0d8063896325fd65 SHA-256: 238cacc69015b2a36edabef2613431a0e798b55191466b6d2959b10f9420e15b

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=bluestacks+3++for+windows+8'. This URL is presented to the user as a download for 'Bluestacks 3 for windows 8', indicating a social engineering lure. The file also contains a PDF link farm heuristic, suggesting it's part of a larger SEO poisoning campaign to distribute malicious content. The document body, though heavily obfuscated, contains the same lure text and the malicious URL.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=bluestacks+3++for+windows+8
- https://static.usrfiles.com/ugd/696b8a_fed23ef654d64ee8a44e55017d867a5b.pdf
- https://static.usrfiles.com/ugd/0789d5_ec44acaad0bc4d62b44dc4bfa5031270.pdf
- https://static.usrfiles.com/ugd/b8c837_3c00d0d0797c4653b174009bcae3e607.pdf
- https://static.usrfiles.com/ugd/5926b4_00cc30a754094b029024714b734c20e4.pdf
- https://cdn.shopify.com/s/files/1/0432/9350/7739/files/minecraft_mob_armor_mod_1._7_10.pdf
- https://cdn.shopify.com/s/files/1/0431/2272/0924/files/jodoridi.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/85583151980.pdf
- https://cdn.shopify.com/s/files/1/0440/2796/9686/files/75570070763.pdf
- https://cdn.shopify.com/s/files/1/0432/9183/6566/files/linorawuruwe.pdf
- https://cdn.shopify.com/s/files/1/0432/9262/3001/files/9452364281.pdf
- https://static.usrfiles.com/ugd/d94ae5_393c68161c62495caddf9269e7f59895.pdf
- https://static.usrfiles.com/ugd/9c66ff_a42820ebc8774bafb38293c1e03a29b0.pdf
- https://static.usrfiles.com/ugd/74c34a_07f56791435b48c4886b3ea95fcf5146.pdf
- https://static.usrfiles.com/ugd/02beb7_b7663264529249b1b3a5c91a68be1eea.pdf
- https://static.usrfiles.com/ugd/e3c460_d7b7356e54d54b11a3b3949782f23cdf.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ed4.bin` `d51c7951e74df79c2e3e86ec980277d770692ae24769a5bcc2764c40d6161606`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6ED4	5576 bytes
`font_01_sfnt_off000081ef.bin` `ab5a3f6fa49cde9a91dfb3ac733f9cd2aaea0a219cbd543da3b218724677eef0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x81EF	9956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.