PDF malware analysis — malicious · a013e34ff6e25239

MALICIOUS

PDF

40.1 KB Created: 2020-09-02 05:30:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 438d556fd39d11595bf63a867d30faa1 SHA-1: 2412b0ec674c255c71cf855e3c49835652c4af54 SHA-256: a013e34ff6e25239cbe2e0d44fd768ca64d30c19921958917b03c52515c86b93

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=burner+2nd+number+apk'. Additionally, it exhibits a PDF link farm heuristic, indicating a large number of outbound links, many of which are to benign PDFs hosted on 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the malicious URL and appears to be a lure related to obtaining a burner phone number application. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=burner+2nd+number+apk
- https://static.usrfiles.com/ugd/735424_e392618a39ba43359a6af6c03fd44dd2.pdf
- https://static.usrfiles.com/ugd/71fd01_5af4076205ac42d78acafd0403fc6125.pdf
- https://static.usrfiles.com/ugd/ca300b_34c79010d3874bb69a87b5f46b9ebb9b.pdf
- https://static.usrfiles.com/ugd/cb2bed_787a1cb8e3b643d49efe72d3d583ddd9.pdf
- https://static.usrfiles.com/ugd/b8c837_1e6f9280bff74ab08132e5d1f533c3a3.pdf
- https://static.usrfiles.com/ugd/bcd086_fb3096a8afb546e3a7c9fc51638af6cc.pdf
- https://static.usrfiles.com/ugd/bcd086_7b4d9c8b97154eb8a625a3dd5412f272.pdf
- https://static.usrfiles.com/ugd/a3b54b_68afb95cef6543bfb306a4fb47189094.pdf
- https://static.usrfiles.com/ugd/8b2c09_4fe0e75970ee4236bce58a9ac9923075.pdf
- https://static.usrfiles.com/ugd/191a6d_50f0fed9d1cd49f7bb62b3114c405257.pdf
- https://static.usrfiles.com/ugd/b8c837_97ced84cf33f4380a7f992ef97d4d2bd.pdf
- https://static.usrfiles.com/ugd/374ce0_943cc4b2a6ec4722aa79a09875c86eb2.pdf
- https://static.usrfiles.com/ugd/5899d5_a394c791479949758a8df8befe8f8304.pdf
- https://static.usrfiles.com/ugd/b6edda_60d6a82cec1b402c9f228dbdd44a90a7.pdf
- https://static.usrfiles.com/ugd/89c6ad_a73ec0a227064e639f25c9caa066d7e3.pdf
- https://static.usrfiles.com/ugd/5899d5_679fbc9cdf4846529d957697ff4f7673.pdf
- https://static.usrfiles.com/ugd/764aaa_2f9299f96c5f4095b5acd01378d3676e.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005e1c.bin` `aa8b25d867c550a1ac0abe817962085f13f8384cf3dff6d18cda4c1bb07d5b47`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5E1C	5280 bytes
`font_01_sfnt_off00006ff9.bin` `3be5d4c5ab7b01f4fe5df3e8736f01b4d129c64b77e2361d1ed5d4b7f972d2d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6FF9	10560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.