PDF malware analysis — malicious · 46e989d426d16222

MALICIOUS

PDF

88.0 KB Created: 2020-09-04 18:43:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 984dccaa1a1e1e9ca44157ddfd2efdc0 SHA-1: f854c7d3bf33d92c848d901cb7074cd065eaeb1f SHA-256: 46e989d426d162224ccfbcde1aa0f29ed4679f62981f4d9021ac5d8e2772229b

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.002 Spearphishing Attachment T1071.001 Web Protocols

The PDF contains a link farm and a critical heuristic firing for a malicious redirector. It also requests sensitive recovery information from the user, indicating a phishing or social engineering attempt. The embedded URL https://ttraff.club/wix?keyword=platform-+tools+root+folder+23.+rar+%25D8%25AF%25D8%25A7%25D9%2586%25D9%2584%25D9%2588%25D8%25AF is a primary indicator of malicious intent, likely leading to further compromise.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE

Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=platform-+tools+root+folder+23.+rar+%25D8%25AF%25D8%25A7%25D9%2586%25D9%2584%25D9%2588%25D8%25AF
- https://static.usrfiles.com/ugd/b8c837_594e62a26def4f958d9c5a3b23c604a4.pdf
- https://static.usrfiles.com/ugd/18574e_8f27176d9b3341c3810fd861192c84ce.pdf
- https://static.usrfiles.com/ugd/9cc572_f4c2229614da4013ae2afa798a3c6088.pdf
- https://static.usrfiles.com/ugd/7198c1_8aae792d0d4f45d0a6dbe3080a9f30aa.pdf
- https://static.usrfiles.com/ugd/b88e3d_45c1715d88bd485686d8f10f2cb98b24.pdf
- https://cdn.shopify.com/s/files/1/0440/2351/3238/files/magazine_advertisement_design_templates.pdf
- https://cdn.shopify.com/s/files/1/0431/5601/3205/files/star_trek_beyond_putlocker.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/80789229335.pdf
- https://cdn.shopify.com/s/files/1/0433/0763/0747/files/barcode_attendance_system.pdf
- https://cdn.shopify.com/s/files/1/0431/0374/8247/files/can_can_violin_duet_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0427/5562/1031/files/highlight_on_macbook_pro.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010200.bin` `c5f213305b5897ea083c2a0133ede1a87524df45a4e53cac8c4a1dd07c7479d3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10200	5412 bytes
`font_01_sfnt_off00011461.bin` `de660af68d5b70f6d0e5856baa28c281c951c5ce2d5a50a6a557864fc436b75c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11461	10932 bytes
`font_02_sfnt_off000139fc.bin` `4c7a3f4c24acbd3dbc226cbb34235638bbd4ab16f36442789c2911b407bafc0a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x139FC	16496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.