PDF malware analysis — malicious · 3d420cc720ca312f

MALICIOUS

PDF

57.8 KB Created: 2020-08-31 19:06:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7ce7965de6e32e755bc3cc60617fd4bd SHA-1: 8dedc93cfe18e3f810c36aa98761c35082ea9ae8 SHA-256: 3d420cc720ca312fd4de7081276b59558cc5fe36174662bb190f359329432666

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=java+swing+example'. This indicates the document's primary purpose is to lure the user to a potentially harmful external site. The PDF also exhibits characteristics of a link farm, with numerous embedded links, further supporting the malicious redirection intent. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=java+swing+example
- https://static.usrfiles.com/ugd/90c678_b2d29f3754e242f79b972d2febdc8ada.pdf
- https://static.usrfiles.com/ugd/daca0d_ffc1fad87d5a486288710746ff985111.pdf
- https://static.usrfiles.com/ugd/b8c837_1c9c9cb729df4c818de01045768e1714.pdf
- https://static.usrfiles.com/ugd/162fe6_4253116ea3eb4bebb20b665773152036.pdf
- https://static.usrfiles.com/ugd/10e3af_277365e4e4e243479207e8760745e88a.pdf
- https://cdn.shopify.com/s/files/1/0437/6474/4343/files/vebelivepuretazolaj.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/30698029692.pdf
- https://cdn.shopify.com/s/files/1/0441/0087/8488/files/88649756638.pdf
- https://cdn.shopify.com/s/files/1/0434/1219/3438/files/72827169768.pdf
- https://cdn.shopify.com/s/files/1/0437/5507/7790/files/34563627703.pdf
- https://cdn.shopify.com/s/files/1/0438/0976/7584/files/12204156564.pdf
- https://cdn.shopify.com/s/files/1/0431/4329/9234/files/didifar.pdf
- https://cdn.shopify.com/s/files/1/0428/8076/2023/files/learning_clothes_in_english_worksheets.pdf
- https://cdn.shopify.com/s/files/1/0432/2492/4319/files/37552572612.pdf
- https://cdn.shopify.com/s/files/1/0435/4169/2580/files/sample_counterclaim_in_answer_for_complaint.pdf
- https://cdn.shopify.com/s/files/1/0429/5429/3402/files/24641014249.pdf
- https://cdn.shopify.com/s/files/1/0431/6856/3355/files/fuwonidobi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008b4b.bin` `d7d013408685d1bf1dc1dee1d90893ea0daaa0e4e5db9584292ef4d00e01cff0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8B4B	3304 bytes
`font_01_sfnt_off0000972f.bin` `4080b3028b8dc351945d9adeea4c6e95f974da0a5f4804d89d3249ba6964130f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x972F	5252 bytes
`font_02_sfnt_off0000a91c.bin` `3b6303547940507d05b6cc0ed9b0dd1a35b0821b6f8a3a01dbc70b61b01e513b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA91C	15252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.