PDF malware analysis — malicious · 4ffe1ae7ec98f690

MALICIOUS

PDF

42.5 KB Created: 2020-09-01 06:01:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d4bd8297e12c0781e0cd66bb104181e1 SHA-1: 04d01d3daa705cf42fe25cedff924316b29a7468 SHA-256: 4ffe1ae7ec98f6901ce1b5cd0d9a19472a84c652039c7e90e4c11be50d2cdd19

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=flexible+working+request+template+letter'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs. The document body, though heavily obfuscated, contains references to this malicious URL and other benign-looking PDF links. The presence of a callback lure suggests a social engineering attempt, likely to trick the user into interacting further with the malicious content.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=flexible+working+request+template+letter
- https://static.usrfiles.com/ugd/e5a943_fc70f17698904af1b8b85aa8a3d870cc.pdf
- https://static.usrfiles.com/ugd/bfbc46_be5f010af98f40f7913f493af1d3f758.pdf
- https://static.usrfiles.com/ugd/857e61_5d6127c9374343fb8629a7ea2abf3850.pdf
- https://static.usrfiles.com/ugd/2e79a6_874c79b00d2147f197ce5c7e1989da52.pdf
- https://cdn.shopify.com/s/files/1/0441/2506/1272/files/dell_m-uav-del8_specs.pdf
- https://cdn.shopify.com/s/files/1/0432/2384/2978/files/english_grammar_book_for_dummies.pdf
- https://cdn.shopify.com/s/files/1/0440/0028/0734/files/netbeans_ide_c.pdf
- https://static.usrfiles.com/ugd/516793_77f0e874c8164055be32dbc635864e2e.pdf
- https://static.usrfiles.com/ugd/b8c837_e268caaef2da41fcadac0c154334b4f2.pdf
- https://static.usrfiles.com/ugd/b8c837_ad32f1790ac84b249115abf8fa40ad1a.pdf
- https://static.usrfiles.com/ugd/b8c837_447a6753bb234add81661ee07112d95c.pdf
- https://cdn.shopify.com/s/files/1/0429/7441/2949/files/lewesofusavejunesuwan.pdf
- https://cdn.shopify.com/s/files/1/0439/7203/4718/files/joxelesufitevi.pdf
- https://cdn.shopify.com/s/files/1/0432/0378/8959/files/precalculus_5th_edition.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000685b.bin` `17e2cd00187ff6edea0e0ac33fdbfeba90691a311bc012530d56180607325021`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x685B	5584 bytes
`font_01_sfnt_off00007b63.bin` `9f78c28595046ff538b1c5906d6ff688ea75dd69ed6e571fb48b58ff73228a4d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B63	10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.