PDF malware analysis — malicious · b48228983e2a8e8c

MALICIOUS

PDF

57.3 KB Created: 2020-08-29 21:58:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 51a36e4ef0a20d4591141d937a71ef1e SHA-1: 1a7a9d726c26c107a5cc530d24274a6c1fc52bbe SHA-256: b48228983e2a8e8cb50ca8dda925f071fe0daaa659a80ba25a8326e96a40b8db

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, a technique often used to obscure malicious intent or to create a link farm for SEO manipulation. One of these links, 'https://ttraff.com/wix?keyword=pro+shou+produser', is identified as a malicious redirector. The document body is heavily obfuscated but contains this URL, suggesting the primary goal is to redirect the user to a malicious site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=pro+shou+produser
- https://static.usrfiles.com/ugd/f1d680_f782faf8f6b1430c82f995dc073640a9.pdf
- https://static.usrfiles.com/ugd/b8c837_1eeb1d42e4af45868d3c1e9680d850aa.pdf
- https://static.usrfiles.com/ugd/b8c837_9204ea580f5f44c6bc5d9c83bcc08aba.pdf
- https://cdn.shopify.com/s/files/1/0429/7474/0636/files/99863174950.pdf
- https://cdn.shopify.com/s/files/1/0431/8865/0146/files/88137467121.pdf
- https://cdn.shopify.com/s/files/1/0434/4909/0200/files/mapa_de_puerto_rico_con_sus_pueblos.pdf
- https://cdn.shopify.com/s/files/1/0437/5881/3341/files/bekulilokirizos.pdf
- https://cdn.shopify.com/s/files/1/0440/0224/6814/files/disere.pdf
- https://static.usrfiles.com/ugd/b8c837_bb6fe8f978d04fdf9afd989318c2a438.pdf
- https://static.usrfiles.com/ugd/b8c837_73f291fefe554f6cb4345bd5383cd736.pdf
- https://static.usrfiles.com/ugd/b8c837_6abd73b545414893bd8f5d5b3e9c24cd.pdf
- https://static.usrfiles.com/ugd/05900a_9c3d19a548974bd19a5e75161ebe7745.pdf
- https://static.usrfiles.com/ugd/b8c837_a5ec27176e5d4162ade2ca807066d017.pdf
- https://static.usrfiles.com/ugd/b8c837_439ca287ba404a629e4fd1e99a16ca19.pdf
- https://static.usrfiles.com/ugd/b8c837_d26cb12c52a44130914d4c5577b4c534.pdf
- https://static.usrfiles.com/ugd/b8c837_8d131643174e403598696e0872934691.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007307.bin` `10fcc6ab19fb8839dfc3526963de96cc823d022d0e49b8778f1e7488bdc1e013`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7307	11228 bytes
`font_01_sfnt_off000097cc.bin` `bf9f368aed0cb84579667b0bad7eda3a86c921ef5bb6326adc528401ee0c0d94`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x97CC	4804 bytes
`font_02_sfnt_off0000a81d.bin` `fa4036830604880f15e1a73c58a531d355141c2bc6318e2798242dc37dfac5a4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA81D	14968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.