PDF malware analysis — malicious · b0d6615c457cc502

MALICIOUS

PDF

65.6 KB Created: 2020-09-14 15:05:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 41aa2b953ed28a9fb6cb27208f3ba592 SHA-1: 4f419b9d8d86924b9196fba0cc409105398ea3aa SHA-256: b0d6615c457cc50250da053821f7c42584b47914d5d0c1c683c205cfc31db210

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The heuristic firings indicate that this is likely a link farm designed to direct users to malicious content or manipulate search engine results. No scripts were extracted, and the document body is heavily obfuscated, making it difficult to determine a more specific attack pattern beyond link redirection.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/pify?keyword=activity+coefficient+table
- https://static.usrfiles.com/ugd/eda9ba_b5e7f6498d4c487c84d391ad72eb154b.pdf
- https://static.usrfiles.com/ugd/38bf1f_52d941162f8d4965bec45a5d0457ee58.pdf
- https://static.usrfiles.com/ugd/957c7b_cbec6893fc274fedb5af36b627b7002e.pdf
- https://static.usrfiles.com/ugd/39cb9d_c150995c8bc84bd2a8bf23af61ca84bf.pdf
- https://static.usrfiles.com/ugd/7ef0dc_4e36c02599304d1c8d70f6d968f58c01.pdf
- https://cdn.shopify.com/s/files/1/0431/8124/4573/files/chader_hashi_badh_bhengeche_free.pdf
- https://cdn.shopify.com/s/files/1/0430/8094/1721/files/12998692016.pdf
- https://cdn.shopify.com/s/files/1/0432/6513/0660/files/60239597573.pdf
- https://static.usrfiles.com/ugd/158fb9_d11f4f5b9e9a4479b04a0d388c9cb865.pdf
- https://static.usrfiles.com/ugd/cdb50c_37be58d711af44959515acd6325951db.pdf
- https://static.usrfiles.com/ugd/041b56_db5a512b7d134fba8b002709253591cc.pdf
- https://static.usrfiles.com/ugd/3225da_3f797cf081d744819ebf5fdda062c1e0.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000083e4.bin` `94bbf7516d0f37fa02e6f63bdb07c6bd40e935fec41e33ded7c06d4ad5f33230`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x83E4	4680 bytes
`font_01_sfnt_off000093a2.bin` `fba9f6d5d467b7d6bbccdc8ac95b73ea8a6825a62cfb156e50cd914bb525142d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x93A2	6300 bytes
`font_02_sfnt_off0000a2fb.bin` `9e8ffca5ec1e0b24808cb33cba0e963ba332390acca87f5b388455523a2440e8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA2FB	15808 bytes
`font_03_sfnt_off0000d4f4.bin` `c0544f8953c1f4d9bc77075aff176a99aa7df9ad8f3fb84765c8afe19cbb829d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD4F4	16324 bytes
`font_04_sfnt_off0000eaa1.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEAA1	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.