PDF malware analysis — malicious · c143c97766b79eca

MALICIOUS

PDF

44.1 KB Created: 2020-09-04 21:47:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5c2bf7940603bb1f9164804a95f9fb78 SHA-1: 506716c1aad470b2fb20f4e7bb24e897b1a3e442 SHA-256: c143c97766b79eca2251d0728bfd8dd4e0d9faa5c46b4495f78a4864953b37a2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=cedula+de+identidad+venezolana+formato+pdf'. This URL is likely used to redirect the user to a phishing or malware distribution site. The document also contains a large number of embedded links to 'static.usrfiles.com', which is flagged as a link farm. The document body, though heavily obfuscated, contains text related to a Venezuelan identity card format, suggesting a lure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=cedula+de+identidad+venezolana+formato+pdf
- https://static.usrfiles.com/ugd/9cfd0a_a0fd453f3762469a93f648e1d3e12c9b.pdf
- https://static.usrfiles.com/ugd/361045_92f8848c409342d8af9ba3bcee89a292.pdf
- https://static.usrfiles.com/ugd/b8c837_07678323f78b4d569390d06684eff081.pdf
- https://static.usrfiles.com/ugd/0ebc1f_db9d65d0a5fd42e380d4f76fa65e3e3a.pdf
- https://static.usrfiles.com/ugd/2e79a6_a1adac08f6eb4ec185e455191788b6a3.pdf
- https://static.usrfiles.com/ugd/18122d_1d9269cec1f14e448c5cc15592051e43.pdf
- https://static.usrfiles.com/ugd/badafb_2fb27cedc04746ad91620ba7c59606de.pdf
- https://static.usrfiles.com/ugd/bdc04d_f4494aa4e84e4d14bae5bf8098fbcd56.pdf
- https://static.usrfiles.com/ugd/97aff7_a935a96ac6e54dce9cdb4bcf517beb1e.pdf
- https://static.usrfiles.com/ugd/6da380_75c40f973f2149d8bca0750eafde5ed8.pdf
- https://static.usrfiles.com/ugd/b8c837_8afa378f9c414a4cad1c4fd2df8203d2.pdf
- https://static.usrfiles.com/ugd/2b3f46_f9f09296504149e596c60fc593c5e4d2.pdf
- https://cdn.shopify.com/s/files/1/0439/8986/0510/files/10012474441.pdf
- https://cdn.shopify.com/s/files/1/0437/9020/5090/files/pre_calculus_12_textbook.pdf
- https://cdn.shopify.com/s/files/1/0463/4030/9153/files/xufuxataduzomes.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000601a.bin` `0671e9b47a7990a3af459bcd3bd0c906bd8bfd4c86514f2a77d62711981b57ed`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x601A	5024 bytes
`font_01_sfnt_off00007129.bin` `733ca4723a13f814d560c2d92d66101b95d347fe38c8abc229a5a5f4f6df1412`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7129	10492 bytes
`font_02_sfnt_off00009360.bin` `7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9360	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.