PDF malware analysis — malicious · 548551d47f3ea30e

MALICIOUS

PDF

43.1 KB Created: 2020-09-19 13:38:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 264bb8d27eeea011d3959be7673d7849 SHA-1: b7e901e8126abaa417b0eb0667e2bf78f4a1551e SHA-256: 548551d47f3ea30e40f89757a3278e0ba3e9e3968e567d5a38e4438a3068edff

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF contains a high number of embedded links, with one specifically identified as a malicious redirector. The document body also contains a call-to-action phrase, suggesting a lure to click the malicious link. The primary malicious URL identified is https://ttraff.cc/wix?keyword=superstar+smtown+hack+no+ban, which likely leads to further malicious content or exploits.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=superstar+smtown+hack+no+ban
- http://xugid.gsjacobsen.com/uploads/1/3/2/3/132302868/supezo-zozatam.pdf
- http://rogudidun.vibrationalinstitute.com/uploads/1/3/1/4/131454950/4218353.pdf
- https://6252cc19-5c14-4731-b8ad-12641b11129b.filesusr.com/ugd/9b33c5_5e4d4fd0e77646fc8315d5dfb07ef049.pdf?index=true
- https://71aee221-614e-47ac-b5e8-c86d63ca5995.filesusr.com/ugd/e4f6f0_13ea17d487244ddc9ebd544173f4cf33.pdf?index=true
- https://d6be1461-0c6f-4e6f-a098-0ebe302fb7c9.filesusr.com/ugd/24deb6_6200a47b41414d0a93e4462f57a74d5e.pdf?index=true
- https://3ccf2c78-7644-4b77-b4ef-12136b64aabe.filesusr.com/ugd/ae15ca_2924fbe9a4a34016902900f4f662afa8.pdf?index=true
- https://bdc5faa9-4011-4dd1-9e85-e3532fd13b8d.filesusr.com/ugd/1c90dc_c11a3dd1bb6f4b8e830e09267857099b.pdf?index=true
- https://b490d0ea-1854-4b32-bf88-40878d8854d7.filesusr.com/ugd/fe83c3_5ad23d70042040f0a1348ee0d356cc7a.pdf?index=true
- https://cdn.shopify.com/s/files/1/0466/3469/6869/files/86664379527.pdf
- https://cdn.shopify.com/s/files/1/0435/7426/3963/files/lubowixunujozomako.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005333.bin` `73a55de0db80f987961dbedb078d1d700d3874d947cad21869ba088f25fcbacd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5333	5540 bytes
`font_01_sfnt_off000065ed.bin` `b98516a1c711c28dff3456ca8a9048919c0dd162b2940f82d2f2b97c1745ea88`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x65ED	10732 bytes
`font_02_sfnt_off00008aeb.bin` `5f61313f1a3e3a671973c9d1dfad2a5a183df5c034e29bf06d98a49d76937e84`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8AEB	16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.