PDF malware analysis — malicious · 8ac2b5ed09835d89

MALICIOUS

PDF

48.9 KB Created: 2020-09-02 09:14:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5d59544f2332140220f48614a179824b SHA-1: 786d8b48f3bda835ce3abf32068094c8b0354960 SHA-256: 8ac2b5ed09835d8976624a2660a577c8100973a365874bc70fedd7285f2a8aea

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a malicious redirector link disguised as a download button, aiming to lure users to a malicious site. The link `https://ttraff.ru/wix?keyword=computer+certificate+design+psd+free` is identified as a malicious redirector. Additionally, the PDF contains a large number of external links, many pointing to `static.usrfiles.com`, suggesting a link farm or SEO poisoning tactic to distribute malicious content.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=computer+certificate+design+psd+free
- https://static.usrfiles.com/ugd/5fd5c1_2b2801f203a14b45b119e9da8acea562.pdf
- https://static.usrfiles.com/ugd/9c43ec_2ecb1811dc494f1f85d701ea5e76b530.pdf
- https://static.usrfiles.com/ugd/941881_2e6a37a9715e41eeab37209384c8b3af.pdf
- https://static.usrfiles.com/ugd/61804c_bd4633d9cce844ef9df9700d3c323d0c.pdf
- https://cdn.shopify.com/s/files/1/0431/8999/3636/files/xemibabakojef.pdf
- https://cdn.shopify.com/s/files/1/0434/3575/3639/files/sezelapozutexutino.pdf
- https://cdn.shopify.com/s/files/1/0430/0819/6767/files/zanopugabanefe.pdf
- https://cdn.shopify.com/s/files/1/0433/5743/8101/files/functional_programming_patterns_in_scala_and_clojure.pdf
- https://cdn.shopify.com/s/files/1/0452/3936/9885/files/basin_and_range_john_mcphee.pdf
- https://static.usrfiles.com/ugd/5e8de6_abe61fb969734b2bad7b2fa9eea7fd78.pdf
- https://static.usrfiles.com/ugd/865d50_7159f6df951346aea56905d481cfb504.pdf
- https://static.usrfiles.com/ugd/e745be_3e3dabc4974e49cebba7809fc8129c33.pdf
- https://static.usrfiles.com/ugd/286fb8_8f3ff6d3a8fb4711a74f54f525968688.pdf
- https://static.usrfiles.com/ugd/4c76bf_515671a8fe6b40d89b622caff50a35d7.pdf
- https://static.usrfiles.com/ugd/b8c837_a6ac94d7694e49bdafb1d80a59324829.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000081ac.bin` `fcd019592e0a91316191fd6e4cbd36883d5a32d9a4c6304672a83eca8985ccca`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x81AC	5348 bytes
`font_01_sfnt_off000093c0.bin` `06f5a4aa7dd68b83d5077026720f4e9aba8ac580f7d71fa4a8fac4c1d33fa478`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x93C0	10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.