PDF malware analysis — malicious · 917ff5182835d9f2

MALICIOUS

PDF

46.5 KB Created: 2020-09-05 15:40:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: fad7e29b943c833f1ef8ecf6e32aab68 SHA-1: dd9e6a5d118ccd6be823bfd4b8f93a47576056ad SHA-256: 917ff5182835d9f2a3f7d676aed029da7e684c472f95018cbc12e0e4a6284889

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.club/wix?keyword=candidate+tracking+excel+sheet'. The document body also contains this URL and other links, presented in a way that suggests a download lure, supported by the 'SE_DOWNLOAD_BUTTON' heuristic. The presence of a mass external PDF link farm further indicates a malicious workflow designed to distribute or redirect users to harmful content.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=candidate+tracking+excel+sheet
- https://cdn.shopify.com/s/files/1/0430/2422/0321/files/cambridge_international_dictionary_of_english_book_download.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/puxatofutedixa.pdf
- https://cdn.shopify.com/s/files/1/0440/7905/5000/files/dijiponemojexokejixanotu.pdf
- https://cdn.shopify.com/s/files/1/0434/4270/0455/files/65890897421.pdf
- https://static.usrfiles.com/ugd/891219_f6c52135be8349b59fa723f103ee5a67.pdf
- https://static.usrfiles.com/ugd/b91566_6cbe3d25a04c4557b5ecca2acab895b4.pdf
- https://static.usrfiles.com/ugd/8ab72e_6b47d17290bc4e669e3b46056fccced7.pdf
- https://static.usrfiles.com/ugd/b8c837_daf709f4c772486cbde61e62e75b0001.pdf
- https://cdn.shopify.com/s/files/1/0436/6155/7913/files/fistula_perianal_perros.pdf
- https://cdn.shopify.com/s/files/1/0432/9072/2454/files/livros_calistenia.pdf
- https://cdn.shopify.com/s/files/1/0432/1165/3282/files/manageengine_servicedesk_plus_admin_guide.pdf
- https://cdn.shopify.com/s/files/1/0437/7149/4554/files/axolotl_salamander_form.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000642d.bin` `8a18a9ec78e97d9d3e34bc5295036241f3bd8f734ce1fc66c46a71bad91a26c5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x642D	5032 bytes
`font_01_sfnt_off00007541.bin` `9f5ae3540830492545cd5578a60cd29be1a278080b97d879f35641eaddbd9f39`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7541	13256 bytes
`font_02_sfnt_off00009f62.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9F62	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.