PDF malware analysis — malicious · b2d6489ff688ed11

MALICIOUS

PDF

43.5 KB Created: 2020-09-09 08:01:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: cce93e465c9caf6e5a7fb48f2cdaf35d SHA-1: 94879c6ff9404bde9d13fbc83778fcc749046496 SHA-256: b2d6489ff688ed11684432e6d011ac3912d755f8b8ba05889f65b93c2c50619b

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many pointing to Shopify domains, which is indicative of a link farm. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.club/wix?keyword=fitbit+charge+3+hr+manual'. The document body, though heavily obfuscated, appears to contain references to 'Fitbit charge 3 hr manual', suggesting a lure to trick users into clicking the malicious link. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=fitbit+charge+3+hr+manual
- https://cdn.shopify.com/s/files/1/0433/2794/6904/files/76526935428.pdf
- https://cdn.shopify.com/s/files/1/0433/0936/7461/files/88323304956.pdf
- https://cdn.shopify.com/s/files/1/0431/0378/1015/files/88773030841.pdf
- https://cdn.shopify.com/s/files/1/0437/7093/7495/files/51311192553.pdf
- https://static.usrfiles.com/ugd/3ed902_7598d31f8c984f198ec7abfb65222ce7.pdf
- https://static.usrfiles.com/ugd/b88e3d_1bc3d49b678549fcb0f740e22cba57c5.pdf
- https://static.usrfiles.com/ugd/4b7290_df6109b57f9d4a2aa711b7a1e92f66e7.pdf
- https://static.usrfiles.com/ugd/69b86f_4413c3d2db1f48d2a1c00f7b3fd27101.pdf
- https://static.usrfiles.com/ugd/850f07_5a515c3a194c4899973d3571f6305c43.pdf
- https://static.usrfiles.com/ugd/87fdc7_7e8b8e3c04ba457995e52e836b478047.pdf
- https://cdn.shopify.com/s/files/1/0432/6300/0736/files/dota_2_doom_guide_2019.pdf
- https://cdn.shopify.com/s/files/1/0440/8462/5558/files/pasutuva.pdf
- https://cdn.shopify.com/s/files/1/0429/4931/2666/files/80878261126.pdf
- https://cdn.shopify.com/s/files/1/0436/3635/9326/files/46138990035.pdf
- https://cdn.shopify.com/s/files/1/0429/4138/2812/files/wufewesopozas.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006bbb.bin` `bc48aa1184c1c2bda80dd0d523373c40351cdf28c9370cf43cce12acf0498009`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6BBB	5292 bytes
`font_01_sfnt_off00007d9d.bin` `32b16ad3f2b59fdaa6945d1c9f8cfd3da634ffb61444bfe5fd7ce27adcd740d1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D9D	10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.