PDF malware analysis — malicious · 2be46c6f4806a38e

MALICIOUS

PDF

43.3 KB Created: 2020-09-08 04:21:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8597d704fbac6d6610a649163182575d SHA-1: 7acb5de5f6d94a164a2ec1785d880d4de5261bae SHA-256: 2be46c6f4806a38e4a283116c1387c17f499ce29725f8f8ba302a59a6a5de69f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.me/wix?keyword=blockers+spy+for+instagram+apk`. This URL is embedded within the document body, suggesting a social engineering lure to trick users into clicking it. The file also exhibits characteristics of a link farm, with numerous external PDF links, likely for SEO manipulation or to host further malicious content. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=blockers+spy+for+instagram+apk
- https://static.usrfiles.com/ugd/0b46e6_34313dc4c3094c7cb22fb50193d4be6a.pdf
- https://static.usrfiles.com/ugd/0fdb6d_155fa54090294118959b0eafc1c36501.pdf
- https://static.usrfiles.com/ugd/4dd980_550849b73b714a23aaf112f750699d4e.pdf
- https://static.usrfiles.com/ugd/74e905_bad4962818714f6787a160b55fb1cb4a.pdf
- https://static.usrfiles.com/ugd/2c608b_3d6ed142980b490aa0c204c84ff4cca1.pdf
- https://cdn.shopify.com/s/files/1/0428/1637/2892/files/zabebuwigaxowigaxer.pdf
- https://cdn.shopify.com/s/files/1/0437/9574/2882/files/60086463775.pdf
- https://cdn.shopify.com/s/files/1/0429/6422/2101/files/zetibiratojomonogonuwal.pdf
- https://cdn.shopify.com/s/files/1/0430/8133/4933/files/95652543846.pdf
- https://cdn.shopify.com/s/files/1/0463/2628/4445/files/iso_31000_risk_management.pdf
- https://cdn.shopify.com/s/files/1/0431/3061/8011/files/86427002662.pdf
- https://static.usrfiles.com/ugd/1ebe14_77fa2708889e465bad57e6178d79bade.pdf
- https://static.usrfiles.com/ugd/b8c837_dda84f96314644a59f6707ce6feb0fd8.pdf
- https://static.usrfiles.com/ugd/2813e2_b447b15b884347849ef413f7621fd9d5.pdf
- https://static.usrfiles.com/ugd/455f95_c203cd99569a46e096a9a9677fb2b5ca.pdf
- https://static.usrfiles.com/ugd/ceb2e8_07ea8d9dbcaa43f49eaa413c18bc4aae.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005e66.bin` `0eee3ea00b4ce43ed9553d0a74d9d2f7e6d2598d8886a12e17088215389e6b91`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5E66	5548 bytes
`font_01_sfnt_off00007142.bin` `c2c3ac1f4850f06fb705e54f7c97e42775221d1fcfae22b7c8be31c84d2ef404`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7142	2076 bytes
`font_02_sfnt_off00007a52.bin` `b1858e6d079d1024df6f5b1e63300ca8c85edaad3f46ca089e9e500f332e18d7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A52	10524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.