PDF malware analysis — malicious · 4ca09a0fedf8c7b7

MALICIOUS

PDF

87.0 KB Created: 2020-08-29 03:40:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b350f96452a15d234d5aa2cfa8d7e70d SHA-1: 116c2ae6bf02119e805da911aa1929e8c40600b5 SHA-256: 4ca09a0fedf8c7b7c2ae94a062241a90bee69f8ad63bf4c8c67815b2e54f840e

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple heuristics indicating a malicious redirector link and a link farm, consistent with SEO poisoning. The 'SE_ADVANCE_FEE_SCAM_LURE' heuristic strongly suggests the document's content is designed to trick users into believing they need to pay a fee or provide information related to a parcel delivery. The embedded URL 'https://ttraff.com/wix?keyword=fedex+historia+firmy' is the primary indicator of this lure.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=fedex+historia+firmy
- https://static.usrfiles.com/ugd/b8c837_105d74402fd94bba9a829335a45557ee.pdf
- https://static.usrfiles.com/ugd/b8c837_7f4a68b5d6a54f698d1016d559f15ea0.pdf
- https://static.usrfiles.com/ugd/b8c837_3266973cf40d4bb08be5c98beabdb23c.pdf
- https://static.usrfiles.com/ugd/b8c837_e4c61faa1ed94702b1eb7118d7cd8e61.pdf
- https://static.usrfiles.com/ugd/b8c837_6c222ce923834f9a9851a03de609e8c5.pdf
- https://static.usrfiles.com/ugd/b8c837_1379859d0ae04611b2704b36c748368c.pdf
- https://static.usrfiles.com/ugd/b8c837_9402a6163e4b41bfb02ef5bd293ab3a7.pdf
- https://static.usrfiles.com/ugd/b8c837_3270bd92a9ed44c6a1e819e0cae4c74f.pdf
- https://static.usrfiles.com/ugd/b8c837_53ffbf92a211448f8ce4d0da030e7222.pdf
- https://static.usrfiles.com/ugd/b8c837_e4b728b8f34e4bc4b63c6ee87bb3e84a.pdf
- https://static.usrfiles.com/ugd/b8c837_831429a911fb4c8d8575bd1f4600c878.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010296.bin` `b3dcfdb39d9fa467fef78210dd70b1ffe5a3bf92866a694ecf66dd36cbe1180d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10296	5240 bytes
`font_01_sfnt_off00011456.bin` `6300acb8522b5bb6aa74653933b0f94b050abf875bd4579d1194a55754e096f5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11456	11484 bytes
`font_02_sfnt_off00013a25.bin` `f69dfaa62717e5dd28008c5cb2efbda9970d2bfad2e264e945fa6e92777c3c4f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13A25	16124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.