PDF malware analysis — malicious · 389d3ca8bf9b5b42

MALICIOUS

PDF

60.3 KB Created: 2020-08-30 14:54:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8807fd33972e39af66b80ab7cffcb57b SHA-1: c6aeacc5ead0a03a30c7805dd933c5e1c5fa4c7e SHA-256: 389d3ca8bf9b5b42ce04c2b642778975532b0d0d9b02961621041a2b1ecb6c84

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. The document body, though heavily obfuscated, contains the URL https://ttraff.com/wix?keyword=jerarquia+de+operaciones+basicas+pro, which is flagged as a malicious redirector. This suggests the document's primary purpose is to redirect users to a malicious site, likely for further exploitation or phishing.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=jerarquia+de+operaciones+basicas+pro
- https://static.usrfiles.com/ugd/6290de_c26827a34430460ab610ec55ab4580b0.pdf
- https://static.usrfiles.com/ugd/c12414_8d623d2af76c4faaa1e389dd199a54cb.pdf
- https://static.usrfiles.com/ugd/5ed537_85e8237953dc4dcf8c6f43402b60670b.pdf
- https://static.usrfiles.com/ugd/b8c837_1b4014c6baa24e85b730d37e90d6527e.pdf
- https://static.usrfiles.com/ugd/93c935_4936a88fe2284f4581075f8b82b340fa.pdf
- https://static.usrfiles.com/ugd/2ca09c_d9b16dff412f4eae83188276b1e66934.pdf
- https://cdn.shopify.com/s/files/1/0450/9886/0707/files/monthly_timeline_powerpoint_template.pdf
- https://cdn.shopify.com/s/files/1/0431/2514/5760/files/bidituxodisu.pdf
- https://cdn.shopify.com/s/files/1/0433/9849/6412/files/nefuvumefawuv.pdf
- https://cdn.shopify.com/s/files/1/0437/5353/7690/files/71776520716.pdf
- https://cdn.shopify.com/s/files/1/0432/6067/4198/files/65472619637.pdf
- https://static.usrfiles.com/ugd/47b1e8_6b15de28f7044a21b590088583f25b75.pdf
- https://static.usrfiles.com/ugd/b8c837_393e1c2745cd476e9e03f675baba9934.pdf
- https://static.usrfiles.com/ugd/a2ebd8_9245e07ef4d9432e82024724991c50ae.pdf
- https://static.usrfiles.com/ugd/80c1db_e31200b5eb7b4d42ab1b79da2464bf02.pdf
- https://static.usrfiles.com/ugd/b8c837_bfc36dbfc92841ee91c1c25decd4610c.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008ea1.bin` `d39c90561948d03a7ac381314e1923135bcdc34abb88ef51abcd008a2c6caca1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8EA1	5292 bytes
`font_01_sfnt_off0000a09a.bin` `478b1a9d1a3dd491f62ccdc53dd466ab88758eb202a04b2b3ab6bbe509ecf874`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA09A	14492 bytes
`font_02_sfnt_off0000cda4.bin` `d7c0313d84b709fe8a6a90baca56b34c20eeda1db47cffc02c31991c89a68c0d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCDA4	16080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.