PDF malware analysis — malicious · b996a07d337a9c56

MALICIOUS

PDF

46.0 KB Created: 2020-09-01 21:53:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 80b740d4caa22d23be43e14ea277647e SHA-1: 1892bbf44d9d58fa780916b9c3b037224b63ac03 SHA-256: b996a07d337a9c5626d1194b8fa222a426d479e338e50189ea44a5e6fbc234ed

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is likely intended to lead the user to a malicious site. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'broadsheet melbourne cbd lunch', suggesting a phishing or scam attempt. The PDF also contains a large number of external links, characteristic of a link farm, further supporting a malicious intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=broadsheet+melbourne+cbd+lunch
- https://cdn.shopify.com/s/files/1/0434/2857/7447/files/80755765414.pdf
- https://cdn.shopify.com/s/files/1/0434/1330/7541/files/7th_grade_social_studies_unit_2_study_guide.pdf
- https://cdn.shopify.com/s/files/1/0430/4162/0119/files/fiwozijajumirodakajoxa.pdf
- https://cdn.shopify.com/s/files/1/0430/3532/8663/files/nazekukenezenon.pdf
- https://cdn.shopify.com/s/files/1/0437/1821/3797/files/ac_market_install_android.pdf
- https://static.usrfiles.com/ugd/90423f_edc22776d17c4894968f196d8f3ac048.pdf
- https://static.usrfiles.com/ugd/b8c837_99ba59804ab64eb4abdcbe0392892358.pdf
- https://static.usrfiles.com/ugd/2813e2_b466ed90863c4d5b951d68d2b08c1554.pdf
- https://static.usrfiles.com/ugd/78c764_d4bf2db3e01341a8803747b1cdd914f7.pdf
- https://static.usrfiles.com/ugd/c0b427_e13bc6ea8de84e35b6242a98e6ea8151.pdf
- https://static.usrfiles.com/ugd/accd1f_078167202f2d48faa7aabc88b83ef1f4.pdf
- https://static.usrfiles.com/ugd/77d535_8a7f6d63391541dabf0bff61fa18e0ae.pdf
- https://static.usrfiles.com/ugd/cc14e4_1e792b5049b7413ebde9461362301665.pdf
- https://static.usrfiles.com/ugd/57c819_fba3fd612fd6488790342108c2914dc6.pdf
- https://static.usrfiles.com/ugd/6f53d7_2b43313de5994772a30dac388a8d5038.pdf
- https://static.usrfiles.com/ugd/c162b3_864479ec33e14e0399acd4e523f0161e.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000684f.bin` `0db9481b5266ddabd1f2ac6f160ea2a58f55ba0501b644231be817dd1e8b10b6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x684F	5200 bytes
`font_01_sfnt_off000079d2.bin` `d8ca537217b1efbec6119a2dfd2166a6bd1a9008e4f1e0ddb62c0b48155c2113`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79D2	10216 bytes
`font_02_sfnt_off00009cc0.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9CC0	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.