PDF malware analysis — malicious · 5398524bd2dd6ea3

MALICIOUS

PDF

48.0 KB Created: 2020-09-04 04:25:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5e924bae47643f84e60569c1c09d7948 SHA-1: 2644cdbf62f8ec4541d41424d0da0f1f3b042bd2 SHA-256: 5398524bd2dd6ea3d0139dee66138d1b64c82e30767661c8516463272f07275f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.link/wix?keyword=twist+remix+song++pagalworld', is designed to redirect users to malicious infrastructure. The file also contains a large number of embedded links, many pointing to static.usrfiles.com, which is flagged as a link farm. The primary intent appears to be luring the user to a malicious site via the redirector.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=twist+remix+song++pagalworld
- https://static.usrfiles.com/ugd/b914b5_18cb2675dd96432a84a7fc09fb32d026.pdf
- https://static.usrfiles.com/ugd/7603ae_a6771a7c668d472a851784a099a0d9d0.pdf
- https://static.usrfiles.com/ugd/9cc572_65acbc15d93445c6bb26bae57494e0d4.pdf
- https://cdn.shopify.com/s/files/1/0449/5297/7576/files/balance_general_en_forma_de_cuenta.pdf
- https://cdn.shopify.com/s/files/1/0429/4138/2812/files/alter_ego_a1_cahier_d_activits_respuestas.pdf
- https://cdn.shopify.com/s/files/1/0429/6838/3642/files/dream_on_aerosmith_guitar_tab.pdf
- https://cdn.shopify.com/s/files/1/0431/1298/8821/files/13906204597.pdf
- https://cdn.shopify.com/s/files/1/0463/1507/7792/files/pharmaceutical_vendor_qualification_guidelines.pdf
- https://cdn.shopify.com/s/files/1/0432/7315/8821/files/68328167161.pdf
- https://cdn.shopify.com/s/files/1/0431/0636/9687/files/android_studio_documentation_download.pdf
- https://static.usrfiles.com/ugd/efc97f_3c0080799c5b400e87e8f2b81c2da98e.pdf
- https://static.usrfiles.com/ugd/74a852_01ac8976ea5647f186c8c731e1702db9.pdf
- https://static.usrfiles.com/ugd/455f95_070ca1838e434251b124f79a599b7c9c.pdf
- https://static.usrfiles.com/ugd/b8c837_5caa6fcab1b8404dabd3089ca940885f.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000066f4.bin` `40595c78de64821df2238feb2f5b9872a839c109c749fa695803660e72e11ee9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x66F4	5176 bytes
`font_01_sfnt_off00007883.bin` `daf289cae6f03fcba6d47d8b479673f7ce8a927ef6369c2bb2b2ea4a22d8fc6a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7883	13880 bytes
`font_02_sfnt_off0000a51a.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA51A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.