PDF malware analysis — malicious · b937014aefa9abc7

MALICIOUS

PDF

71.8 KB Created: 2020-09-06 07:16:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 49c505c06b0ca2fa86e3e5f365010a46 SHA-1: ee1c66c63251e5b1e5781963bf3c0b654b016670 SHA-256: b937014aefa9abc7e493ae8631321b8d10262d83cb562f979ff897c93386beba

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=a%25C3%25A7%25C4%25B1sal+h%25C4%25B1z+ve+%25C3%25A7izgisel+h%25C4%25B1z+form%25C3%25BClleri'. This indicates the document's primary purpose is to redirect the user to a potentially harmful site. Another heuristic indicates a PDF link farm, suggesting a broad attempt to distribute malicious content. No scripts were extracted, but the presence of a malicious redirector is sufficient evidence for this assessment.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=a%25C3%25A7%25C4%25B1sal+h%25C4%25B1z+ve+%25C3%25A7izgisel+h%25C4%25B1z+form%25C3%25BClleri
- https://static.usrfiles.com/ugd/b4609a_07118c01962e4b4daf0b852606481717.pdf
- https://static.usrfiles.com/ugd/40b9e6_5e25284b1f3545528a6db2281c5fc6ab.pdf
- https://static.usrfiles.com/ugd/0bcf16_7969a0a6928f4fb79bedaf144b3c494d.pdf
- https://static.usrfiles.com/ugd/e42ee3_64af6f658f88489587bc741bacc01dd6.pdf
- https://cdn.shopify.com/s/files/1/0433/9479/3630/files/12649657403.pdf
- https://cdn.shopify.com/s/files/1/0435/6522/0003/files/46407408958.pdf
- https://cdn.shopify.com/s/files/1/0437/1913/1285/files/advantages_of_artificial_intelligence_in_accounting.pdf
- https://cdn.shopify.com/s/files/1/0431/1125/2132/files/bobaberat.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/ziwodukujaluladiludu.pdf
- https://static.usrfiles.com/ugd/48d9a1_4998aa196e9348349c5ac0b90cb39039.pdf
- https://static.usrfiles.com/ugd/2e79a6_f7b3a17ebacb47a0b265ba58899a510b.pdf
- https://static.usrfiles.com/ugd/f14cf6_97985c065754415da90a0a30b1bdbf94.pdf
- https://static.usrfiles.com/ugd/9c58c5_4efb72b843374005a7a38da2c17e399f.pdf
- https://static.usrfiles.com/ugd/a374b9_fa763bebf5e64f2d86e7070745b02bde.pdf
- https://static.usrfiles.com/ugd/724fb5_5c06a925e79343deb06c9456e2f20f80.pdf
- https://static.usrfiles.com/ugd/6290de_1927b7849e324bb58b583765d19d6e96.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cefe.bin` `ef8dd460c337cc685ab748cba5253a17efb26dc9520edff97f093e631598401b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCEFE	5612 bytes
`font_01_sfnt_off0000e1d1.bin` `9ce83a819e5fab7df2639b5990d3ebdb7a029213089ec88682445e7939f9fa91`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE1D1	15472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.