PDF malware analysis — malicious · 7d54f9634b2a65ea

MALICIOUS

PDF

43.1 KB Created: 2020-08-29 06:07:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3fa397a66782adc9e1cf864395b194b1 SHA-1: e4748301d70f238ea38e32d9406376f54f654df6 SHA-256: 7d54f9634b2a65ea06ac4798887cc0936e77e5d4d797beea02bd386d70a431f9

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of embedded external links. One critical heuristic firing indicates a PDF link to known malicious redirector infrastructure, specifically 'https://ttraff.cc/wix?keyword=pyp+social+studies+scope+and+sequence'. Another critical heuristic identified a PDF link farm, with numerous links pointing to 'static.usrfiles.com'. The document body, though heavily obfuscated, also contains the malicious redirector URL.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=pyp+social+studies+scope+and+sequence
- https://static.usrfiles.com/ugd/b8c837_d75d49960f9c47feb215f5ad939edd75.pdf
- https://static.usrfiles.com/ugd/b8c837_cec3761a84a447d7b0164214c1a47698.pdf
- https://static.usrfiles.com/ugd/b8c837_d9df642da5774e1194a80f0934fb8a8b.pdf
- https://static.usrfiles.com/ugd/b8c837_af539dd498f04983a34c32e44ee0a53d.pdf
- https://static.usrfiles.com/ugd/b8c837_4467c5b00ebe4e0292dafdbfc202cd1a.pdf
- https://static.usrfiles.com/ugd/b8c837_172d42e92ff247ad86fd322153d4e154.pdf
- https://static.usrfiles.com/ugd/b8c837_4dcae3f53e624f2aa444ceba4c10c12f.pdf
- https://static.usrfiles.com/ugd/b8c837_34ddd6257b554724ad6efc2ae1960b0b.pdf
- https://static.usrfiles.com/ugd/b8c837_019096de12f24e95a47cbc0fdde67012.pdf
- https://static.usrfiles.com/ugd/b8c837_1f629cc0bc584e1088d5d1d04d2847f5.pdf
- https://cdn.shopify.com/s/files/1/0434/6806/2872/files/vafiboxidusisabejobobafo.pdf
- https://cdn.shopify.com/s/files/1/0437/4324/8533/files/8926763824.pdf
- https://cdn.shopify.com/s/files/1/0436/5120/3225/files/rizix.pdf
- https://cdn.shopify.com/s/files/1/0432/7358/4793/files/77373871246.pdf
- https://cdn.shopify.com/s/files/1/0435/2675/0357/files/45616578909.pdf
- https://cdn.shopify.com/s/files/1/0429/0582/9532/files/66504985047.pdf
- https://cdn.shopify.com/s/files/1/0432/5385/8472/files/nezabedomakumubawexomi.pdf
- https://cdn.shopify.com/s/files/1/0431/4929/5776/files/nuneleduxade.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006bc6.bin` `8a5df02edd698186fc2e4ab1906adc93687971fc59fb38b249f9267410f145bc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6BC6	5200 bytes
`font_01_sfnt_off00007d80.bin` `bb597067d867a4ddaafe0a435c3c5e368ba7a191a1a3ddbba019937cb79d8b99`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D80	9876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.