PDF malware analysis — malicious · aa03ba56f9a973ec

MALICIOUS

PDF

36.9 KB Created: 2020-09-05 16:06:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5d451e158afaa561230b54883cd82665 SHA-1: 5558cb2d2e7222b6c487e625d693ab72bf242108 SHA-256: aa03ba56f9a973ec90070fd2dfdcc372a4b59b125b993c7cc2dd16ebd1cb745d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains a URL that appears to be part of a link farm designed to manipulate search engine results or direct users to malicious content. The presence of a malicious redirector link and a large number of external PDF links suggests an attempt to lure users to potentially harmful sites.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=parkour+platformer+game+scratch
- https://static.usrfiles.com/ugd/0cd3a8_6221ff5f119346bca8e2c3c6fb79300b.pdf
- https://static.usrfiles.com/ugd/c1de29_5e9cbc70527546559475ac85ec5a5c4c.pdf
- https://static.usrfiles.com/ugd/76156b_5c6ef6d97015431f9ca1c6488d494829.pdf
- https://static.usrfiles.com/ugd/1b8612_174fcb67a7df42189269cd767abfe2fa.pdf
- https://static.usrfiles.com/ugd/2f3ac6_192c74ac268a423886b6529fcecb17f1.pdf
- https://static.usrfiles.com/ugd/4826f5_178a11f6bd2443e487e8b1a6e4d77974.pdf
- https://static.usrfiles.com/ugd/4d935e_874cccd7327b422aab87c8c18fe84ef0.pdf
- https://static.usrfiles.com/ugd/0779a3_8a3475ea27164d609d28b64fa162bfae.pdf
- https://static.usrfiles.com/ugd/cf79db_18cc1631db2442e29dec08c67438f041.pdf
- https://static.usrfiles.com/ugd/ac72e0_794373e0c89a42699dc74ea8a36919cb.pdf
- https://static.usrfiles.com/ugd/f96b02_6603da1588254e0d9ef9d0e30a1d1ecc.pdf
- https://static.usrfiles.com/ugd/10e3af_d6014975aab74755930116c214e781a0.pdf
- https://static.usrfiles.com/ugd/289c5e_1ca994a272b743638680412813b92c1b.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004528.bin` `e47922d31c7dbc43ac292278fa8a4f2faab63b80ab39ddd438c8dc6238817185`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4528	5224 bytes
`font_01_sfnt_off000056f7.bin` `a4c84f37b4357adb37e4830523bb6410f9bd2c73199c6015614216ba698caff8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x56F7	9868 bytes
`font_02_sfnt_off000078c6.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78C6	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.