PDF malware analysis — malicious · 94d15985911a688e

MALICIOUS

PDF

47.7 KB Created: 2020-09-01 08:22:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 431c3b74e4433384f366dccc2206e64a SHA-1: f843f2cd6c07774bf0c7e563583cb6e84678dcbe SHA-256: 94d15985911a688e5f9c24abf28de3e6271ad41a1fb3409c120ee35c593269dc

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, with one prominent link leading to a known malicious redirector. The document body, though heavily obfuscated, contains text suggesting a lure related to resume or letter formats, and the malicious URL is directly embedded. This indicates a phishing attempt designed to redirect users to malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=resume+letter+format+example
- https://static.usrfiles.com/ugd/0fdb6d_563514bdecfd49f99990a28548ef888e.pdf
- https://static.usrfiles.com/ugd/b8c837_dddc3f59f09c4d07bce77264278fd212.pdf
- https://static.usrfiles.com/ugd/764aaa_96f5b9c8c661457bb790f69c5febcdba.pdf
- https://static.usrfiles.com/ugd/b8c837_fe522e3589b548c8a71564471d40eba4.pdf
- https://static.usrfiles.com/ugd/7f46b5_29cb30ebede54b84abd5aea2a66587fb.pdf
- https://static.usrfiles.com/ugd/c836c3_539a4f3fcb4e4234badc09c626e1bc95.pdf
- https://static.usrfiles.com/ugd/b914b5_1fabd9b22e14440c8b1190f49cf3a923.pdf
- https://static.usrfiles.com/ugd/05900a_bc3346bf81554e72987c8fb846ec14ef.pdf
- https://static.usrfiles.com/ugd/b8c837_f2933df0f45a4e1c93f0ae2af8fecf26.pdf
- https://cdn.shopify.com/s/files/1/0438/2975/6064/files/remove_xbox_game_speech_window.pdf
- https://cdn.shopify.com/s/files/1/0429/8535/7463/files/sumuwagadawijunakot.pdf
- https://cdn.shopify.com/s/files/1/0430/6613/0593/files/rufujonurakibarimibixi.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/34597476450.pdf
- https://cdn.shopify.com/s/files/1/0439/5496/2590/files/29945785260.pdf
- https://static.usrfiles.com/ugd/e745be_abf74d0721e44619ad08a16e2d8b444c.pdf
- https://static.usrfiles.com/ugd/1849a1_01a4367dddc64842b4ee5c91660c755c.pdf
- https://static.usrfiles.com/ugd/76156b_03f382b10b6e4bba90cf54addba7f553.pdf
- https://static.usrfiles.com/ugd/3826db_65db8a3d317d408baf2ca9d66ffb88f4.pdf
- https://static.usrfiles.com/ugd/760101_9636d84d1f444985a4e072f5585aa790.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007c88.bin` `f335fcb2549211b2a08bd2cd5dc0ac80eb2b112118193cf8a89b095615eb47f7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C88	5124 bytes
`font_01_sfnt_off00008de2.bin` `ed76a4ff49185b5e685a46d934cdcde6803b3d7a84e362cde5230935499ed4d4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8DE2	10544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.