PDF malware analysis — malicious · 25d47d307fd0bd36

MALICIOUS

PDF

45.3 KB Created: 2020-08-31 08:48:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 71e15559bd09e1bc90957b72c4553b5f SHA-1: bf0401aab0b9ab91f06d4d75f3e25f332eb6820c SHA-256: 25d47d307fd0bd36e89d4b4b5dfa573a9d1abbc34b9b238c6f0c95e6b47b9a73

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of the primary links directs users to ttraff.com, which is identified as a malicious redirector. This suggests the document is designed to funnel users towards malicious content through a series of redirects and a link farm.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=strengthsfinder+questions+for+discussion
- https://static.usrfiles.com/ugd/b444d4_44506fde2ee14d3fb5d64840a0bc7145.pdf
- https://static.usrfiles.com/ugd/c068f8_cd2178063403452695158472511cc11e.pdf
- https://static.usrfiles.com/ugd/b8c837_007129948f614b2996fe80d13c8afa31.pdf
- https://static.usrfiles.com/ugd/dd4472_12248fc8d0f14386a69db4e84ee29e07.pdf
- https://static.usrfiles.com/ugd/fb5067_dd4d4c4f3a33432e9eb49243e35343c5.pdf
- https://cdn.shopify.com/s/files/1/0438/1189/7504/files/bajufufujiletukefuxowo.pdf
- https://cdn.shopify.com/s/files/1/0431/1518/4277/files/22381414569.pdf
- https://cdn.shopify.com/s/files/1/0434/4047/2229/files/46770919017.pdf
- https://static.usrfiles.com/ugd/bdeb4c_b0b46c29c2a34aa9af339cb0f6d0535a.pdf
- https://static.usrfiles.com/ugd/58a813_e860374001484f67ada93eaea844dd1a.pdf
- https://static.usrfiles.com/ugd/6c032c_4d352c21ce75429a8ba398e053b21c1f.pdf
- https://static.usrfiles.com/ugd/b8c837_5b60b0c50f844d458b006f84c3d5d206.pdf
- https://cdn.shopify.com/s/files/1/0428/3065/9751/files/8555384198.pdf
- https://cdn.shopify.com/s/files/1/0441/2106/3576/files/zanupanasefupib.pdf
- https://cdn.shopify.com/s/files/1/0438/5135/0166/files/jamasebozujesozuju.pdf
- https://cdn.shopify.com/s/files/1/0443/0177/9100/files/bubogevezikujiledupito.pdf
- https://cdn.shopify.com/s/files/1/0431/0496/0661/files/pipipizanudupur.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000066bb.bin` `a7a21fca87f848aa413abc35b85939de9224dd939cc425cde5a4b6fc30720509`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x66BB	5152 bytes
`font_01_sfnt_off00007827.bin` `4bd4fefecee821a58820fb16d7457c89138090d11f45d6f38fef3bd4666fe632`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7827	9900 bytes
`font_02_sfnt_off00009a03.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9A03	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.