PDF malware analysis — malicious · 7ddb1bf0808046f5

MALICIOUS

PDF

51.1 KB Created: 2020-08-29 09:26:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 863cf691577a8a0750f11434f367c5ad SHA-1: d688d784300e13fa2f02bf9de72bdfc1882f3e6e SHA-256: 7ddb1bf0808046f522d9ff62a961f94299ffd248e0b3b5fc0325ab9f3d64ffdf

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=formato+carta+poder+word+descargar'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many of which are benign but serve to obscure the malicious one. The overall pattern suggests a phishing attempt to redirect users to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=formato+carta+poder+word+descargar
- https://static.usrfiles.com/ugd/b8c837_6611383f101e4964bd06c5f8bab29af1.pdf
- https://static.usrfiles.com/ugd/b8c837_21712192fa9c44589b436f303ae18796.pdf
- https://static.usrfiles.com/ugd/b8c837_9c39f011f4a049c9b1d73c99b5015e88.pdf
- https://static.usrfiles.com/ugd/b8c837_70daa1f1fdf1455cbc981c6cfc1217fe.pdf
- https://static.usrfiles.com/ugd/b8c837_eae511e1d280401e82e865bf8488f0b6.pdf
- https://static.usrfiles.com/ugd/b8c837_4d14f47df3fb483dbf36fe1f467e8e41.pdf
- https://static.usrfiles.com/ugd/b8c837_368b52a6506f474486ead39902221bed.pdf
- https://static.usrfiles.com/ugd/b8c837_4a8e8b88ce3f42ecaa4fc7149577fd9a.pdf
- https://static.usrfiles.com/ugd/b8c837_b7f2f76f30004373b87fe5da67f0af9e.pdf
- https://static.usrfiles.com/ugd/b8c837_9c2b4949788c4213a65bdd99df67cc4b.pdf
- https://static.usrfiles.com/ugd/b8c837_14d2ad49b4374aca9468dc11e86e9712.pdf
- https://static.usrfiles.com/ugd/b8c837_8ce3de2a0dbe44b98f7ad2a3844927c0.pdf
- https://static.usrfiles.com/ugd/b8c837_afc8f188e4a548d1bacb7fcad7aeffd4.pdf
- https://static.usrfiles.com/ugd/b8c837_17019950445d40e2b4290c7219e8af36.pdf
- https://static.usrfiles.com/ugd/b8c837_b15b48bc05bb442585c42e9101cdf8a4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007752.bin` `eae1f34b840f1bc028d5a8c423f28724cbd6069637a207dd3da6796cabbd8c91`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7752	5408 bytes
`font_01_sfnt_off000089ab.bin` `c2514be52424705deee1df194651f67c6233aba8eb893a6b19affc7ab53892b3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x89AB	1636 bytes
`font_02_sfnt_off000091e2.bin` `034347a91f456555e7646350d85f95b732acc11d0bac69b8087895728025eb43`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x91E2	14376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.