PDF malware analysis — malicious · 985e6e1f71670c94

MALICIOUS

PDF

46.4 KB Created: 2020-09-01 17:37:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 49f1f3104461fff3a0cfd206c64688ad SHA-1: 2eb7bb01553ffb81445122f4976a4b3048d8a15f SHA-256: 985e6e1f71670c940ac0b8c22afa18b7f5b797c4aede315f6d6545a388cf483d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it contains links to known malicious redirector infrastructure. Additionally, the PDF_SEO_LINK_FARM heuristic fired, noting a large number of embedded external links. The primary malicious IOC is the URL https://ttraff.com/wix?keyword=billboard+music+awards+2019+video, which is likely used to redirect users to a malicious site. The document body contains garbled text but also includes the same URLs, reinforcing their presence.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=billboard+music+awards+2019+video
- https://static.usrfiles.com/ugd/cb2bed_df3ddcea097146139bf0c8bfd2570953.pdf
- https://static.usrfiles.com/ugd/d4a9d6_1407a2cab46b454c92ae5c289ab614cf.pdf
- https://static.usrfiles.com/ugd/60933b_b03fa66319b54596be7b6a01931b4356.pdf
- https://static.usrfiles.com/ugd/45e30f_63cb492e52f54520ae57100bfd92911c.pdf
- https://static.usrfiles.com/ugd/b48b60_bcaea2ddea54434e99dcbb47a90a4c20.pdf
- https://static.usrfiles.com/ugd/b8c837_a3912266a6694ec7a4038ccb1f1778ca.pdf
- https://static.usrfiles.com/ugd/ae15ca_db773556f86c4f939023a1e8d812924e.pdf
- https://static.usrfiles.com/ugd/0511f5_11c05e6e593a41a7b48c04ae3e3679ee.pdf
- https://cdn.shopify.com/s/files/1/0438/2323/5232/files/xododosa.pdf
- https://cdn.shopify.com/s/files/1/0428/3678/7356/files/brandi_love_pic.pdf
- https://cdn.shopify.com/s/files/1/0439/7400/0798/files/83115794886.pdf
- https://cdn.shopify.com/s/files/1/0431/3346/8821/files/9216530884.pdf
- https://static.usrfiles.com/ugd/f0e51d_37b2df609aaf47e6953a8c1487d106cb.pdf
- https://static.usrfiles.com/ugd/5926b4_de539c653af84f29a68587b8b12b67ad.pdf
- https://static.usrfiles.com/ugd/de02f3_f948875daa914f3281c1a5a93dd1a51f.pdf
- https://static.usrfiles.com/ugd/b8c837_dccc252bc9b54ef0aefd27ea420dbcd8.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006829.bin` `f4dd124527836d198a82fd2932a68882ba7c65c781adc9f36e5a2a99fe5be942`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6829	5604 bytes
`font_01_sfnt_off00007b3c.bin` `6e6f203698e6c09261f5ed1b4b51ffea025d9286485d08692fdab4e24872640b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B3C	10248 bytes
`font_02_sfnt_off00009e4f.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9E4F	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.