PDF malware analysis — malicious · 9cfd39ceef3b277f

MALICIOUS

PDF

53.4 KB Created: 2020-09-03 13:05:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7bad59d0fd35b1534c228cc5401f2029 SHA-1: e6f7a2a107c001a1756812da5af0e412a5cc0ad7 SHA-256: 9cfd39ceef3b277f5c292cb9132306243514ff4f83dfb11f79d4051b6bf01c59

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1200 Hardware Add-in T1059.001 PowerShell

The PDF file contains a mass external PDF link farm, with many links pointing to static.usrfiles.com. One prominent link, https://ttraff.com/pify?keyword=vector+addition+and+subtraction+pdf, is identified as a malicious redirector. The document body, though heavily obfuscated, contains references to the redirector URL and other benign-looking PDF links, suggesting a lure to trick users into clicking the malicious link. No scripts were extracted, and the primary malicious activity appears to be redirection.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=vector+addition+and+subtraction+pdf
- https://static.usrfiles.com/ugd/2e4eb4_2dbefd22d0264eae870f985dea1ed359.pdf
- https://static.usrfiles.com/ugd/9cfd0a_ab29d2c6952347a39cea7413b68aff7b.pdf
- https://static.usrfiles.com/ugd/4e6dd5_7dfef15f139d492c838343dd638e0366.pdf
- https://static.usrfiles.com/ugd/7ea8bb_83279863df8746c1a7f3e3426d4a9db5.pdf
- https://static.usrfiles.com/ugd/5ea4d5_c385cf5d1af04fb09c1600b4062930ab.pdf
- https://static.usrfiles.com/ugd/26938b_7e12f3fe24934c4490407efd963d5b39.pdf
- https://static.usrfiles.com/ugd/b8c837_c9a9fea88f0240649fe5c4050693dea6.pdf
- https://static.usrfiles.com/ugd/4f92c1_762ddca67aed4ce385bac2653cff1626.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/33374625424.pdf
- https://cdn.shopify.com/s/files/1/0434/3103/5032/files/sasibinab.pdf
- https://static.usrfiles.com/ugd/b8c837_73d44f7e83164624909aa3b40919c01f.pdf
- https://static.usrfiles.com/ugd/3b7182_840fb4be470e480c8b52ce87e2c78791.pdf
- https://static.usrfiles.com/ugd/08fe48_4d903e4decdc48448d5bca1e4e700e79.pdf
- https://static.usrfiles.com/ugd/0d2fda_835eb679c9264f2684639c7ef01b69b1.pdf
- https://static.usrfiles.com/ugd/1b8612_263ad9dbe9a0413f903141076ac463c4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008553.bin` `8c44adcd356057fd3180e513aad91d4a2a38a8a8199f25c016a0cec8e6edab2b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8553	5104 bytes
`font_01_sfnt_off000096af.bin` `d4b73498a82d6a60aefb463b3ad29162953e6524ee13b17e982f9d2da252198d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x96AF	10532 bytes
`font_02_sfnt_off0000ba96.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBA96	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.