PDF malware analysis — malicious · 42ed3468bb2ccf2d

MALICIOUS

PDF

47.1 KB Created: 2020-08-31 17:47:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7658e8c68c09d4f789e9d04f4f8ed731 SHA-1: ffed007d41d8fac743f60017307ba7658ceb5318 SHA-256: 42ed3468bb2ccf2dee6a096a0f72bb55632335ac6858cfdd201bac5192d943ae

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was identified as malicious due to the presence of numerous embedded links. One critical heuristic firing indicates a PDF malicious redirector link pointing to 'https://ttraff.com/wix?keyword=magazine+cover+layout+design+template'. Another critical heuristic identified a PDF SEO link farm with 28 external PDF links, the first of which is 'https://static.usrfiles.com/ugd/6df952_3c05855525e44d2bb6b43f9283a127c8.pdf'. The document body contains garbled text but includes the same malicious URL, suggesting a lure to a phishing or malware distribution site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=magazine+cover+layout+design+template
- https://static.usrfiles.com/ugd/6df952_3c05855525e44d2bb6b43f9283a127c8.pdf
- https://static.usrfiles.com/ugd/b8c837_f24b2a8162de48dea51353511b9fd9f4.pdf
- https://static.usrfiles.com/ugd/b8c837_f88ba6bce9074cf585bfaf1d73200536.pdf
- https://static.usrfiles.com/ugd/136d07_c0c1168f75b34eedba487dbb1332e560.pdf
- https://static.usrfiles.com/ugd/93c935_d146557fdea84e52b89c4851a093ca9a.pdf
- https://static.usrfiles.com/ugd/b4f0c6_381b7334b6ea486eaa22e4051abc31f8.pdf
- https://static.usrfiles.com/ugd/dba42a_35cf12512a504a0390070c89fc9bc411.pdf
- https://static.usrfiles.com/ugd/b8c837_3cefc7238c4540a884b66f684e1a503d.pdf
- https://cdn.shopify.com/s/files/1/0439/1872/1192/files/sakusiboperomirewo.pdf
- https://cdn.shopify.com/s/files/1/0432/9635/8565/files/sipuserepo.pdf
- https://cdn.shopify.com/s/files/1/0435/5833/8715/files/bakri_palan_project_report.pdf
- https://static.usrfiles.com/ugd/97368a_e4cbdc1f87fa4d84b0dc78069f3b17e6.pdf
- https://static.usrfiles.com/ugd/defcb2_84d409befc994eee8e556fb43d82bed7.pdf
- https://static.usrfiles.com/ugd/e5412a_5d79b447a38943579c9583df06e579cf.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006c88.bin` `449c8c6f5f55645fb0d1b87f6dbde87c183239084166aa2d20a2cec3bc6f24be`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6C88	5492 bytes
`font_01_sfnt_off00007f34.bin` `92de5a8ba227ecf5b864b7ed06d55d71a60d7784d47460e361f443e49eaf8e80`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F34	9928 bytes
`font_02_sfnt_off0000a132.bin` `a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA132	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.