PDF malware analysis — malicious · 47d0b48c8cf4c099

MALICIOUS

PDF

53.4 KB Created: 2020-09-01 04:44:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8264963c6bd329df21ff5d17b5900bed SHA-1: 0c9e1f8585fdc3ec074e70373985391ecc050fa3 SHA-256: 47d0b48c8cf4c0996b4b04556abe6ded114384c8e758cf7b26ed2bf8566c67c2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating a link to known malicious infrastructure. Additionally, PDF_SEO_LINK_FARM indicates a large number of external links, many pointing to static.usrfiles.com. The embedded URL https://ttraff.com/wix?keyword=deed+of+variation+intestacy+template is likely the primary malicious payload delivery mechanism. The document body, though heavily obfuscated, contains references to legal templates, suggesting a social engineering lure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=deed+of+variation+intestacy+template
- https://static.usrfiles.com/ugd/b8c837_7e89c5e41f0e49398d23617adc9f3717.pdf
- https://static.usrfiles.com/ugd/b8c837_7ac9d0e5cf1f46d081f2ad6ed61f82e4.pdf
- https://static.usrfiles.com/ugd/d4a9d6_b39c6f3933ed4be9a5b87c1fb60a0622.pdf
- https://static.usrfiles.com/ugd/4bb894_aa23ad53cc4843b2aca34708da48f809.pdf
- https://static.usrfiles.com/ugd/34e21e_adc83fa538744a6aac3fde8d371878c8.pdf
- https://static.usrfiles.com/ugd/b8c837_1398ee65aaa34f92b29ee2abb46b524d.pdf
- https://static.usrfiles.com/ugd/eb6612_a6f41c28cbe74d56ad19b04d7bde7afb.pdf
- https://static.usrfiles.com/ugd/5438e3_d1e797d165a14a27bcdad819aae4fbe6.pdf
- https://static.usrfiles.com/ugd/9e53d4_a9e401d007be49dd988e3f66174e2fe9.pdf
- https://static.usrfiles.com/ugd/b8c837_1424bd56622a4d56a1e2ca8feeba0a69.pdf
- https://static.usrfiles.com/ugd/e33828_b8f94ae8ba154fc2ad9900e2d35aed47.pdf
- https://static.usrfiles.com/ugd/b6edda_428157cc774f4ef5bfa1c5706e8fb166.pdf
- https://cdn.shopify.com/s/files/1/0431/9064/8996/files/28661640438.pdf
- https://cdn.shopify.com/s/files/1/0440/7079/7462/files/android_mods_without_root.pdf
- https://cdn.shopify.com/s/files/1/0431/7950/7875/files/baybayin_tagalog.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008846.bin` `b7f317aa0f29cd34df008dc84d8f376d2685882a57a4a5cd0d86477d0adf885a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8846	2828 bytes
`font_01_sfnt_off00009241.bin` `332966907574120ef2205fbbd23192e53a6e80870f942acb6aff5a2e76161d5c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9241	5460 bytes
`font_02_sfnt_off0000a4d5.bin` `04f91086888b4f730019805f8ba6eb6ebdb0be3dfdc33259b19b40070318dee0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA4D5	9852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.