PDF malware analysis — malicious · 3120cebf1a39ed8b

MALICIOUS

PDF

46.1 KB Created: 2020-09-06 07:47:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9208d788cab00484ec2915ab27855050 SHA-1: 53c3927395b646474ee449cf6f00a5cdd88ca635 SHA-256: 3120cebf1a39ed8b68605042d50d133e4914fe95f27dba235ac36f5ecf4b1e54

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/pify?keyword=game+ppsspp+football+2016'. This URL is presented within the document body, suggesting a social engineering lure related to a game download. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to static.usrfiles.com. The primary malicious IOC is the redirector URL, which is likely used to deliver a secondary payload or lead the user to a phishing site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/pify?keyword=game+ppsspp+football+2016
- https://static.usrfiles.com/ugd/a8cc01_b237a745918547258c510ce6fdfc3ba7.pdf
- https://static.usrfiles.com/ugd/bae363_377b9f537a0047e9ac2a21ae24711273.pdf
- https://static.usrfiles.com/ugd/b97cba_bc40eaa61e39410993cfed9ac9fc66f0.pdf
- https://cdn.shopify.com/s/files/1/0430/6590/1210/files/39823905084.pdf
- https://cdn.shopify.com/s/files/1/0433/8201/4108/files/pesoginafazap.pdf
- https://static.usrfiles.com/ugd/0c4177_e8b235ec99ef458a97f91feab6b27706.pdf
- https://static.usrfiles.com/ugd/10e3af_a39376bfd60f498390e8936a571bdc67.pdf
- https://static.usrfiles.com/ugd/b8c837_3c47c37c6b9d48798276cffeac8156ec.pdf
- https://static.usrfiles.com/ugd/b8c837_1da48d54109c46d7999633c552ef3fab.pdf
- https://static.usrfiles.com/ugd/b8c837_dadf793f1f094f208f6c03aaa8983bea.pdf
- https://static.usrfiles.com/ugd/493135_4f3b5888c1874f408d02a415a288e256.pdf
- https://static.usrfiles.com/ugd/bb3bf9_bcbdbabece0a45e792bc09c42d9354d5.pdf
- https://static.usrfiles.com/ugd/ede58b_4dab68bd0aa14894a2fcbdd06b8218f9.pdf
- https://static.usrfiles.com/ugd/d4da64_eccb49fc610d41969b765179b55771bf.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000069a7.bin` `d2252f81ab8aba719069c7a13d0938b6511389c9b5462f49cd0c024e37098ef9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x69A7	5236 bytes
`font_01_sfnt_off00007b85.bin` `be1f4efbbcd17301a56537176f0044aed18308425f71a526cfc7aec5ae60b28e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B85	10024 bytes
`font_02_sfnt_off00009dd6.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9DD6	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.