PDF malware analysis — malicious · 9d1f375def4b080d

MALICIOUS

PDF

50.0 KB Created: 2020-09-07 18:28:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 75d8e587d96cc28e36d7726c90a2699f SHA-1: 0c6d26f835a2101531e2b281819c75232109cf31 SHA-256: 9d1f375def4b080d35cb7bcbce2165321ed022373aff8e9e3cd3e8a4d8721efb

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. The document body, though heavily obfuscated, contains the URL that triggered this heuristic. The presence of numerous other links, identified by PDF_SEO_LINK_FARM, suggests a link farm or SEO poisoning tactic to distribute the malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=acknowledgement+letter+for+thesis+sample.+pdf
- https://static.usrfiles.com/ugd/1c8c1e_a36d8224aa2741318560dc6a59582e4a.pdf
- https://static.usrfiles.com/ugd/60933b_3e47b8068d0c4ef8ba40b15de9021330.pdf
- https://static.usrfiles.com/ugd/ab5adf_e81bca999ab5421eb0ea729bc6fa5087.pdf
- https://static.usrfiles.com/ugd/5ed537_348e3ee97b9b42c486090423fe129e46.pdf
- https://cdn.shopify.com/s/files/1/0434/3182/1468/files/tusivivire.pdf
- https://cdn.shopify.com/s/files/1/0440/2610/1910/files/kinosuturavinoge.pdf
- https://cdn.shopify.com/s/files/1/0430/5531/7149/files/imagenomic_free_for_mac.pdf
- https://static.usrfiles.com/ugd/24d943_1f89c48b04244777887868d727ddb0a1.pdf
- https://static.usrfiles.com/ugd/8b2c09_453a6769e7be45bd940bbd2c6c370cb4.pdf
- https://static.usrfiles.com/ugd/f80014_4ce76f8521274c138c5d019f94fe98d9.pdf
- https://static.usrfiles.com/ugd/b11f6d_4f022461afd44830bd78ade9efd14ce1.pdf
- https://static.usrfiles.com/ugd/e3ed1f_10203aa70584447eb580864dfba6af05.pdf
- https://static.usrfiles.com/ugd/469aea_552c50ddf8f14bb196ff61bd44bd3c88.pdf
- https://static.usrfiles.com/ugd/d1fcfc_8eb5748a1bd2448daa1454754ae7632b.pdf
- https://static.usrfiles.com/ugd/0bcf16_e9117477ac9b4e038a45903781746e57.pdf
- https://static.usrfiles.com/ugd/b8c837_ebb3f774907b4a09a52d5f7ee66dbc9a.pdf
- https://static.usrfiles.com/ugd/ccb1c6_f3baea1f798b4e709161b03e0cf4236c.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000076bf.bin` `f9cd781a035bdef83fa0ab6d1b5b6b22c19ca08be8fdd5ca93cf9e81ca88ffb3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76BF	5536 bytes
`font_01_sfnt_off00008972.bin` `20970fcbbe592b674c28bf8e311da97ce96e5b459afe32b5f9496b871b13a4ae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8972	10408 bytes
`font_02_sfnt_off0000acd5.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xACD5	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.