PDF malware analysis — malicious · 34c8b14e13b0dfe0

MALICIOUS

PDF

54.7 KB Created: 2020-09-05 13:57:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5352f8866a73f05c9376d7611228a5cf SHA-1: 90210aa4507d5c58f07d848ecb7f8e7b4ae4e4fd SHA-256: 34c8b14e13b0dfe0d041a260e5a48cabfa3a15a6862672eb26f8981a48776e8a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one identified as a malicious redirector. This suggests the document is designed to lure users into clicking on malicious links, likely for phishing or malware delivery. The presence of a link farm further supports this, aiming to increase visibility and potential clicks. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=playing+cards+template
- https://static.usrfiles.com/ugd/d51d36_777a953547164f85ac39963ecf12d121.pdf
- https://static.usrfiles.com/ugd/f0e51d_96fc220dc5824c1cb2c9e04748cb11b2.pdf
- https://static.usrfiles.com/ugd/9cb927_df809183b2904d8ea8133439e21302db.pdf
- https://static.usrfiles.com/ugd/b8c837_bb4d0b3c08ad49eab3d4c4a0914c1d7e.pdf
- https://static.usrfiles.com/ugd/0d089b_c2c2bd48d8f74f7f94b37cc4e79268c9.pdf
- https://static.usrfiles.com/ugd/934fc3_ee4e656df19b4ca893807c5e17f35a82.pdf
- https://static.usrfiles.com/ugd/956c05_c27aed1811bf4b96b57d10c5a678fd42.pdf
- https://cdn.shopify.com/s/files/1/0430/9975/0560/files/suikoden_2_recruitment_guide.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/57032902602.pdf
- https://cdn.shopify.com/s/files/1/0445/1460/7263/files/harbor_breeze_ceiling_fan_installation_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/8858/4605/files/probability_and_queuing_theory_notes.pdf
- https://static.usrfiles.com/ugd/defcb2_43a49bcdd02b4ccfbe5191ad3d1f414c.pdf
- https://static.usrfiles.com/ugd/0047a4_f39153c0e5604a21a3d8c12585680f1e.pdf
- https://static.usrfiles.com/ugd/493135_c424c6158ee04242a9283206cf4d3b68.pdf
- https://static.usrfiles.com/ugd/c3548c_3ce64f36cdc944dcac28dd196a572e5d.pdf
- https://static.usrfiles.com/ugd/912de2_3f2f2b76b70f4a21bfb5e096bdc5ea08.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000878a.bin` `003ff7c633124edf5a96e0f615cbe96f34e5d6c2fa07c2c71f2b52b571ca9168`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x878A	5172 bytes
`font_01_sfnt_off00009903.bin` `7cdc851334bbcf5749504d0042e550e116b6fb2f3dabda4ad3e03e024681c210`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9903	11912 bytes
`font_02_sfnt_off0000bfe5.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBFE5	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.