PDF malware analysis — malicious · b2b1127aa7937932

MALICIOUS

PDF

42.0 KB Created: 2020-08-30 03:09:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 58e9ea2c386d56ffcee3c2d71935ff47 SHA-1: e38f77fec5e59c9128b13fe5d5f79dc3bb1665cc SHA-256: b2b1127aa79379321cb17a430c64ee0d942306c856e0e09c7d7bd4775e9e3c75

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to a malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text related to an 'assessment form for mental health' and the malicious URL itself, suggesting a social engineering lure. The PDF also contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic, which are likely part of a link farm to improve search engine ranking for malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=assessment+form+for+mental+health
- https://static.usrfiles.com/ugd/c4ccc4_ec56321d24514ef58cc5ab6dfd6746d9.pdf
- https://static.usrfiles.com/ugd/217d68_5ae3c92488a241eab85aa5c3919dd8d0.pdf
- https://static.usrfiles.com/ugd/ce14f3_2b186425878746b3b66ea32217356a7e.pdf
- https://static.usrfiles.com/ugd/8b49c6_063504235e8945c8ad29a488010e7cad.pdf
- https://cdn.shopify.com/s/files/1/0437/7729/4498/files/rudolajapaxalesunaxaletug.pdf
- https://cdn.shopify.com/s/files/1/0432/4163/5997/files/69553240183.pdf
- https://cdn.shopify.com/s/files/1/0437/8443/7922/files/96084159719.pdf
- https://static.usrfiles.com/ugd/b8c837_ed6b4b5cd7af4c21a6159f72421b3196.pdf
- https://static.usrfiles.com/ugd/b8c837_8cbfaae0f2704c2fb9ed3e7b475b0618.pdf
- https://static.usrfiles.com/ugd/b8c837_1ec9cfcc516241eb91aaee5f9f0ea4fd.pdf
- https://static.usrfiles.com/ugd/73cb9e_aa30f34d303c42aa8301cbca8b52ba88.pdf
- https://static.usrfiles.com/ugd/45fd81_c9de5b3903f74ef88edf7d93b18c3204.pdf
- https://static.usrfiles.com/ugd/a467d2_80732ded8ac042f7ac1d4ca624971540.pdf
- https://static.usrfiles.com/ugd/4cf28d_e01e53af471a4e6c9ac04bdc30f5c76b.pdf
- https://static.usrfiles.com/ugd/97368a_449a27a80d584d8b8c041c2982978cce.pdf
- https://static.usrfiles.com/ugd/77d535_38d259c71c394775a0323673a96ce0c0.pdf
- https://static.usrfiles.com/ugd/b8c837_10d0b055c36f4579b1d805f4e1d35ce0.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006750.bin` `f53d82f5ba6d921c0e26008441db8be8e7b176d68e060613bc270bc9bd0e0dac`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6750	4996 bytes
`font_01_sfnt_off00007818.bin` `5f77e9e95eb2c38c007fd60c79a67b6fd4bba44e559e7ae9204aeed96845809d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7818	10232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.