PDF malware analysis — malicious · a2bc74fa381d86cf

MALICIOUS

PDF

49.6 KB Created: 2020-08-30 22:27:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bf935a2143b18e4585159f93e4066ecb SHA-1: e2f60387d37d9ecb3942505646887f2bfa8fd6f1 SHA-256: a2bc74fa381d86cf5880534d9fbb7be6e1cac3a19f348249ca34a2b26cbc644a

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged for containing a malicious redirector link and a link farm. The primary malicious URL identified is https://ttraff.com/wix?keyword=1048+angel+number, which is likely used to lure victims into a phishing or malware download site. The presence of numerous other PDF links suggests a coordinated effort to distribute content or traffic through a link farm.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=1048+angel+number
- https://cdn.shopify.com/s/files/1/0427/4801/8855/files/as_artimanhas_da_excluso_download.pdf
- https://cdn.shopify.com/s/files/1/0431/0591/0935/files/20378978480.pdf
- https://cdn.shopify.com/s/files/1/0437/9423/5553/files/pufesodofi.pdf
- https://static.usrfiles.com/ugd/63d3ad_c534f02b55e04502bbac3e642f4522fc.pdf
- https://static.usrfiles.com/ugd/5ed537_ffe6f630e32c4ddf87243d5c372aae7a.pdf
- https://static.usrfiles.com/ugd/b8c837_51b0f10196fc49fb995db2fd324f2de6.pdf
- https://static.usrfiles.com/ugd/b8c837_fca9b70c27e743ee82280ac60cf0ac31.pdf
- https://static.usrfiles.com/ugd/b8c837_97016235877e4e29ba89f2d7f9bd7c3f.pdf
- https://static.usrfiles.com/ugd/b8c837_c79c943256d14015b099db9231fb7bbd.pdf
- https://static.usrfiles.com/ugd/b8c837_82215c7f92a84d68842c521fdb60dc0b.pdf
- https://static.usrfiles.com/ugd/b8c837_0c071499630f4da8a037e399882d5f86.pdf
- https://static.usrfiles.com/ugd/b8c837_f38cb052435c4fe7a7880d25155df6cc.pdf
- https://static.usrfiles.com/ugd/33a16d_bc03166219134dd0a210db51dff7c803.pdf
- https://static.usrfiles.com/ugd/b8c837_6d6c28f4f1634f46804adda5f68eccf5.pdf
- https://static.usrfiles.com/ugd/b8c837_541235bc2e6e40709379b70d1a5425ae.pdf
- https://static.usrfiles.com/ugd/3aee12_eb9ddc40762d4baa8143e643192c11d4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000071b5.bin` `21fe7d5f48088b1c13ba22b5001d6918eeaa424826f5fd8a1ceb1da33cd45848`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71B5	5348 bytes
`font_01_sfnt_off000083c1.bin` `a055cf6b7ef05b971d626507adb5f3ea8cf64f9f0a59b317f2f132f03af11f68`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x83C1	7200 bytes
`font_02_sfnt_off0000976a.bin` `89ab911186555b5a3853bcf2fe140ce644d49a5531371b5dee1b7d43d3d687a1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x976A	9956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.