PDF malware analysis — malicious · 8d83136d70da3b95

MALICIOUS

PDF

45.0 KB Created: 2020-08-30 01:57:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 45c9de843a1d539f13b5d3d79323462c SHA-1: 665e9a9ebe12dfbf52eda22fab02d4d7479db465 SHA-256: 8d83136d70da3b9504e9b3c1f661eedc62ff69ffdc06a6518c84f41aceda6756

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to a URL that promises a crack for 'archicad 19'. The document body also contains this URL and a call-to-action phrase, suggesting a lure to download malicious software. The presence of a link farm further supports the malicious intent.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=archicad+19++crack
- https://static.usrfiles.com/ugd/b11f6d_9539d30dec8946d28b98587d67f37e81.pdf
- https://static.usrfiles.com/ugd/0d2908_635968c9b6f741c28e15d3d2f554da36.pdf
- https://static.usrfiles.com/ugd/06497e_98dc4afe06cf46e1be11a07f6e7a6610.pdf
- https://static.usrfiles.com/ugd/5360f8_abf93d610d3845ce90b667dcbfbae05c.pdf
- https://static.usrfiles.com/ugd/2c8d66_8e1378401ace4e2ba79a386166b2f400.pdf
- https://cdn.shopify.com/s/files/1/0428/0962/2691/files/24147389657.pdf
- https://cdn.shopify.com/s/files/1/0451/0292/3939/files/applied_mergers_and_acquisitions_workbook.pdf
- https://cdn.shopify.com/s/files/1/0437/4944/1687/files/dutedato.pdf
- https://cdn.shopify.com/s/files/1/0431/3359/9911/files/kojefikifup.pdf
- https://static.usrfiles.com/ugd/77d535_19b97744469243819d40071fdfe9122c.pdf
- https://static.usrfiles.com/ugd/0fdb6d_754fa4cfc1cf4ad9b5d85f2994355a32.pdf
- https://static.usrfiles.com/ugd/b9801a_a0b09953912949e3a3dc24b2c27af5c3.pdf
- https://static.usrfiles.com/ugd/735189_9aeff3676fcb432993fe18bd18789110.pdf
- https://static.usrfiles.com/ugd/b8c837_e8373fc8801e47aeabcc6c0299ed8792.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000679b.bin` `b259824537e9bce30c1c92a6b2b15075baf63c2b8857abeece9a1a4bd16fd3c4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x679B	4452 bytes
`font_01_sfnt_off000076b7.bin` `e6adaaa86190224090a08bfff4056a62b096e6389de9b72035058ceb48ff5a71`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76B7	10072 bytes
`font_02_sfnt_off00009934.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9934	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.