PDF malware analysis — malicious · 30aa41b08f446a7d

MALICIOUS

PDF

73.8 KB Created: 2020-08-31 03:44:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 87fbbf099d4c6789f434323bed55c301 SHA-1: 11019254eb9ebfee7ddab4040181eb4c9b4a881f SHA-256: 30aa41b08f446a7d57f7e53f3c9943de086521c99a69b1a54814a7045c96fa38

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/wix?keyword=jenny+juno+malayalam+subtitles', which is also flagged as malicious. Additionally, the PDF includes a mass external link farm, with many links pointing to static.usrfiles.com, suggesting a potential SEO poisoning or link farm tactic to distribute malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=jenny+juno+malayalam+subtitles
- https://static.usrfiles.com/ugd/9cc572_198dbf113f7d4ca189e49ba7b5c110c5.pdf
- https://static.usrfiles.com/ugd/09273f_ed96c6abc4b14e44a9e53c684d50d4bd.pdf
- https://static.usrfiles.com/ugd/d5415a_7034fb1943744a0e8eede970ec99995e.pdf
- https://static.usrfiles.com/ugd/83e24f_8b651247ffa84362b77d3548e798a4d4.pdf
- https://static.usrfiles.com/ugd/6cfc61_24f34a9a08504bf4a291f4dc2e91cd94.pdf
- https://static.usrfiles.com/ugd/b8c837_bafe44b636f941a88a8734836f0c4a9c.pdf
- https://static.usrfiles.com/ugd/d54300_701fc5605b9f42fb859bc02ec1b304ce.pdf
- https://cdn.shopify.com/s/files/1/0437/7785/1553/files/3959866331.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/65496272691.pdf
- https://cdn.shopify.com/s/files/1/0439/8107/8686/files/fm_3-_21._5.pdf
- https://cdn.shopify.com/s/files/1/0429/6533/6217/files/30473668735.pdf
- https://static.usrfiles.com/ugd/c5d40f_b56883488ca947b6acd4fc0febfc65f5.pdf
- https://static.usrfiles.com/ugd/b8c837_ba385a38c96a47f6959ba425c99e3d8d.pdf
- https://static.usrfiles.com/ugd/a474dd_7a53099b3e3f485a897095528287b1ee.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_005_off0000ad61.bin` `82108176c2918c716c085d86830ef75ce5186985c4de5c6430d27d14fd2a8c56`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xAD61	18824 bytes
`font_00_sfnt_off00009cb6.bin` `70e20e5aa4e55caebf44e3ab3285ce6d46366f08fb1cdeb7084f51bb321d246c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9CB6	4924 bytes
`font_02_sfnt_off0000e77a.bin` `aef11d4623e1c3e76cf0648a27999424c3343eacfa5ff06e0576e38888aa4935`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE77A	10504 bytes
`font_03_sfnt_off00010b6c.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10B6C	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.