PDF malware analysis — malicious · 7d8f6ae41cda3306

MALICIOUS

PDF

51.1 KB Created: 2020-08-29 18:00:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 543e91101b760b512fc5b9a19da91a3f SHA-1: 3756f5887383e8fffa57e68c9ad1b4fa5561b0df SHA-256: 7d8f6ae41cda33065bcbf2fd7e21a170e30e50e03c53176ac8bc865efaf01c1a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains the same URL and appears to be a lure for a movie download. The file also contains a large number of embedded links, many pointing to 'static.usrfiles.com', which is flagged as a link farm. The primary malicious IOC is the redirector URL.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=kick+2+telugu+movie+movierulz
- https://static.usrfiles.com/ugd/5ed537_f2307db817e74ea8bcfa9f9657a2b2f3.pdf
- https://static.usrfiles.com/ugd/b8c837_70794ba9d425445caab772f7e50515e8.pdf
- https://static.usrfiles.com/ugd/b8c837_ba3326000c4c431b9463f4676d64e347.pdf
- https://static.usrfiles.com/ugd/b8c837_d848dcfe411946d194bb6a3471ffe9de.pdf
- https://static.usrfiles.com/ugd/4dd980_4a4a47fc32294a7d922987c3b244463f.pdf
- https://static.usrfiles.com/ugd/b8c837_f535ef80b684449da6f47851167064a5.pdf
- https://static.usrfiles.com/ugd/b8c837_23bd4eca5d9745bfbff6a7d67b9b17e1.pdf
- https://static.usrfiles.com/ugd/de65f7_5cbdacf9ccdb4633bfaf541af6b53124.pdf
- https://static.usrfiles.com/ugd/b8c837_821e933222a64af9b7de43d3807d34f3.pdf
- https://static.usrfiles.com/ugd/b8c837_de375d03be5b4531aae2a3e01fc7263c.pdf
- https://static.usrfiles.com/ugd/b8c837_cd7041927a3b40b58154c551441228d1.pdf
- https://static.usrfiles.com/ugd/b5472a_4b570142714c441a88661a7390c674c7.pdf
- https://static.usrfiles.com/ugd/b8c837_2022151995844827939005307418c717.pdf
- https://cdn.shopify.com/s/files/1/0433/3892/4181/files/meme_creator_and_templates_tamil.pdf
- https://cdn.shopify.com/s/files/1/0436/9013/1609/files/berlin_train_map_pdf.pdf
- https://cdn.shopify.com/s/files/1/0432/2384/2983/files/23567871378.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007548.bin` `41015a8ff2232e51ac3ae3a543bfab31ae4439a37d83ea70cb1f213fd3ce6f10`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7548	5004 bytes
`font_01_sfnt_off00008645.bin` `e270f2abec7eb5c5d3c94682a5cb870e30d3728e2d1c700d5f47256ba28d5a9c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8645	10460 bytes
`font_02_sfnt_off0000aa0e.bin` `ead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAA0E	16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.