PDF malware analysis — malicious · 54ffa5d8d31fd9b7

MALICIOUS

PDF

42.2 KB Created: 2020-09-05 17:45:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 09bba1d8109e2f4a2cd47e0a0cf749b3 SHA-1: 93879a014852ced68acc727cb7b8c2166a955dc9 SHA-256: 54ffa5d8d31fd9b71ae1505ebf5bfebc4b94049105f21fa805f0051c6ea3e495

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=creative+poster+design+templates'. This URL is presented within the document body, disguised as a download for design templates. The file also exhibits characteristics of a PDF link farm, with numerous external links, many of which point to benign Shopify domains but are likely used to obscure the malicious redirector. The presence of a visual download button heuristic further supports the lure-based attack pattern.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=creative+poster+design+templates
- https://static.usrfiles.com/ugd/b80405_5ac3004ded264e84acc3f42cd5d9c2fb.pdf
- https://static.usrfiles.com/ugd/a4d998_d8e88c5aa4014a949cd4c743a158e6cd.pdf
- https://static.usrfiles.com/ugd/b8c837_5f600633f2ff4fc5b198964fd0905691.pdf
- https://cdn.shopify.com/s/files/1/0431/0728/7206/files/68807952883.pdf
- https://cdn.shopify.com/s/files/1/0439/5306/2043/files/37017886018.pdf
- https://cdn.shopify.com/s/files/1/0428/1414/4675/files/nazutazazufosojedizexixif.pdf
- https://cdn.shopify.com/s/files/1/0470/9020/4830/files/arthdal_chronicles_ep_12.pdf
- https://cdn.shopify.com/s/files/1/0439/5529/0270/files/42754715686.pdf
- https://cdn.shopify.com/s/files/1/0434/3015/0300/files/fevodobuwoveninise.pdf
- https://cdn.shopify.com/s/files/1/0428/5382/6726/files/25914498277.pdf
- https://cdn.shopify.com/s/files/1/0430/5443/2410/files/17950694120.pdf
- https://cdn.shopify.com/s/files/1/0430/1458/6517/files/62587346163.pdf
- https://cdn.shopify.com/s/files/1/0432/5077/8269/files/lukukadugelomi.pdf
- https://cdn.shopify.com/s/files/1/0435/2560/3488/files/language_of_computer.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000675f.bin` `6253be39ccceea80e7e4d0dbcdd8118324e5c98cab66722250a174730f3acf3d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x675F	5244 bytes
`font_01_sfnt_off00007922.bin` `dc8c7cc4ca2abaef0b37f61df16e7df4560a815b49cb13a9094e209b3f6e43af`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7922	10440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.