PDF malware analysis — malicious · bea2c9f9f485db64

MALICIOUS

PDF

49.1 KB Created: 2020-08-31 21:29:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 44bf25a8d433fdb087e5cb6e1a2a36aa SHA-1: 56f7dac79eccf3b1dd5b391af4c6c2f0fc8820e8 SHA-256: bea2c9f9f485db64d0156a63adbbe19a23cf2f890fbce1f658eed19dba517b6a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though heavily obfuscated, contains text referencing 'Autodesk viewer convert to pdf' and the malicious URL 'https://ttraff.cc/pify?keyword=autodesk+viewer+convert+to+pdf'. This suggests a phishing or social engineering attack aiming to redirect users to malicious content. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=autodesk+viewer+convert+to+pdf
- https://static.usrfiles.com/ugd/b8c837_a90dd225c32e41e8af431106ff17fda3.pdf
- https://static.usrfiles.com/ugd/b8c837_7e844fd66b614d48941a244671bb6e6c.pdf
- https://static.usrfiles.com/ugd/f1780b_bb8466a15474418f897b75294c1ce381.pdf
- https://static.usrfiles.com/ugd/ed64d2_e5918a70f77848f290a95f63542a1553.pdf
- https://static.usrfiles.com/ugd/b914b5_5e34bf42c68b466c8c9604a96de99a81.pdf
- https://cdn.shopify.com/s/files/1/0430/8919/9268/files/15614126719.pdf
- https://cdn.shopify.com/s/files/1/0436/4759/8742/files/rajuneboxukokivex.pdf
- https://static.usrfiles.com/ugd/5bb01c_ce2773c384774bf7ae14206fa9e64d9b.pdf
- https://static.usrfiles.com/ugd/affb4a_77c0d495e15c4b028aee5060a89375b4.pdf
- https://static.usrfiles.com/ugd/b8c837_4599b1e1f34d4d9885625c493d52c647.pdf
- https://static.usrfiles.com/ugd/f967ac_41066f984e8245ce91af2a3b06621367.pdf
- https://static.usrfiles.com/ugd/b8c837_a3fa0ae77c684d6c86a0dba9d025c331.pdf
- https://static.usrfiles.com/ugd/4f270c_d098df2522d14c01a08ce259b168fca2.pdf
- https://static.usrfiles.com/ugd/d9d1f5_d74ff10399e84be080f056d6e895923e.pdf
- https://static.usrfiles.com/ugd/c836c3_59405d0517604fd199a7d62b4bec049c.pdf
- https://static.usrfiles.com/ugd/2c8d66_2ceee7eb855d46a6abbdfdaea9215224.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006303.bin` `459ab70bb114bad08b156b1a2dfb45f9402ba66524f8d542acfd3a65bebc7c7e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6303	5112 bytes
`font_01_sfnt_off00007498.bin` `872729b7c20b7812778ad262e6b2ff306834158a285155457571f27008244491`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7498	10480 bytes
`font_02_sfnt_off000098bc.bin` `e45c3e59e5673b6f9f0eee352f205fead1befb00105e86844014ccfed69bdb91`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x98BC	18852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.