PDF malware analysis — malicious · 2e0c2f4c7c0f8644

MALICIOUS

PDF

49.9 KB Created: 2020-09-19 02:06:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 57f529f92589642e32d349f86acc1e5b SHA-1: ad70b653a04376274d0bf1c493fc0cd3c92e9362 SHA-256: 2e0c2f4c7c0f86442f661e98de2ad6b3f7877a70aa6e6ad2ad26c74c4ddd3588

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a lure related to an 'accounting clerk internship cover letter' and embeds numerous links. One of these links, https://ttraff.me/wix?keyword=accounting+clerk+internship+cover+letter, is identified as a malicious redirector. The presence of a link farm and a malicious redirector indicates a phishing or social engineering attack aimed at directing users to potentially harmful content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=accounting+clerk+internship+cover+letter
- https://e741efc4-444a-484e-8816-0f6376a13b12.filesusr.com/ugd/8b61cf_d18a2a8975bf475ea88cb00ecdc6b122.pdf?index=true
- https://6b7858fa-e91e-433a-8c5b-545e6820cd81.filesusr.com/ugd/11b39a_142c4c5488b1468a82f6978007f4a16d.pdf?index=true
- https://d4b89741-a10a-4312-a9dc-4550e0bd23a3.filesusr.com/ugd/ac1638_3f2c66d33ad1419e8def1bd4390984ac.pdf?index=true
- https://e5bd2a94-17c1-4804-a6ab-ac52fe607eeb.filesusr.com/ugd/fedf23_9731ad7530f74b33bf9ea0bb12569d51.pdf?index=true
- https://55bfb6a2-771e-4f90-9240-7ac854071a59.filesusr.com/ugd/d78803_dbac80d3e9b2464498bc43f42feeeff6.pdf?index=true
- https://cdn.shopify.com/s/files/1/0431/6656/4507/files/30612885370.pdf
- https://cdn.shopify.com/s/files/1/0437/0730/2037/files/tolon.pdf
- https://cdn.shopify.com/s/files/1/0429/8558/6849/files/falofa.pdf
- https://cdn.shopify.com/s/files/1/0462/1248/1177/files/acknowledgement_for_industrial_visit_report.pdf
- https://cdn.shopify.com/s/files/1/0431/5322/7932/files/54244002093.pdf
- https://cdn.shopify.com/s/files/1/0429/7008/7587/files/rumor_mill_hep_ex.pdf
- https://cdn.shopify.com/s/files/1/0434/2700/4577/files/7461351970.pdf
- https://cdn.shopify.com/s/files/1/0428/2476/1510/files/84940335136.pdf
- https://cdn.shopify.com/s/files/1/0435/6718/6079/files/separate_peace.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000607e.bin` `362b34ce222b6c6b25cb5b38a0a2ccefdf4740d8b5988568e5ac243a8750dccf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x607E	5096 bytes
`font_01_sfnt_off000071de.bin` `c71d09840887964fb22a62bbbd535f70f60e4b2999db7c94c48614d3a934681a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71DE	15468 bytes
`font_02_sfnt_off0000a35f.bin` `c0982807324681c2194e80f3f637ca3700f5bf2c32718b44bdc390b4bb628087`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA35F	16080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.