PDF malware analysis — malicious · a84a2436a4f04fd2

MALICIOUS

PDF

53.0 KB Created: 2020-09-17 08:24:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 69a1fc765d5b010246a43b67445df7e1 SHA-1: 4a3cc4e3e81838c7c75f3ece52ade5b10a52f885 SHA-256: a84a2436a4f04fd2ff11f300541952b4657cc4376f7a3b1e1c365e614cb3cc2d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.link/wix?keyword=breakdown+or+destruction+of+blood+medical+term', is likely designed to lure users into clicking it by appearing as a legitimate search query. The file also contains a large number of embedded links, many pointing to PDF files, suggesting a link farm or SEO poisoning tactic. The primary malicious intent appears to be directing users to malicious infrastructure via the redirector.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=breakdown+or+destruction+of+blood+medical+term
- https://86063f2a-b9b9-4be
- https://106825b1-2ccb-4d80-9dd1-80c28c38403e.filesusr.com/ugd/fa6f14_9f47d2bdb713492e8a032e643c26557a.pdf?index=true
- https://e907078b-e5e5-4dcf-aa6e-819e17b31782.filesusr.com/ugd/d38238_f7cfa5d22e544b66b5b11a27b16bf1dd.pdf?index=true
- https://6b147fec-6574-48bf-9ec7-e112632b8eda.filesusr.com/ugd/110ef3_c673ffe798044072bf2e23137d8afba7.pdf?index=true
- https://cdn.shopify.com/s/files/1/0433/0471/4404/files/domamozaxipa.pdf
- https://cdn.shopify.com/s/files/1/0430/6544/2455/files/18148432172.pdf
- https://cdn.shopify.com/s/files/1/0438/7730/2427/files/51362588290.pdf
- https://b1965cd0-4582-4a9a-902d-dafe41bcb1cd.filesusr.com/ugd/162fe6_c54213b403374034b85d8eb04dd29f9f.pdf?index=true
- https://86063f2a-b9b9-4be0-bd3f-1a19afa8b00d.filesusr.com/ugd/76156b_5d5068e0c42742bfa398949cd24f8499.pdf?index=true
- https://466061d8-1c0b-460e-b62b-f171f68f5cd5.filesusr.com/ugd/0cd019_f7d39892de9c48889ab627f2c186d704.pdf?index=true
- https://cd8d3d53-6165-4fbd-a17d-13f610027ab1.filesusr.com/ugd/2eedf1_6c83b88e9d1d4f0ca625c0894a3f2a41.pdf?index=true
- https://8983d69d-9440-40ae-a782-ebbd46721621.filesusr.com/ugd/882da0_13d06bfedcd04a7b80934b9c0ce87d8b.pdf?index=true
- https://cbfadcec-1e70-4128-8131-5921fbcb1300.filesusr.com/ugd/668a47_44eab1e479154979a55fd4062705bf10.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008d5c.bin` `e9db254faecbbaeb4deb25055e2bdc6ffe11d6e7bd9c2930f6701e5ba55afd22`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D5C	5512 bytes
`font_01_sfnt_off0000a01d.bin` `c76d8ce040b8b6c0c93b640a5bef26e3f2cc4d8ba3d284f775a8600c403ec5a6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA01D	11336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.