PDF malware analysis — malicious · c5a0f38c5760bac0

MALICIOUS

PDF

55.7 KB Created: 2020-09-03 00:03:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 91a33f300f8395fdba58ec6f6c5fc023 SHA-1: 5651a550cc1c46c507be58b59011782a6f02c5c1 SHA-256: c5a0f38c5760bac02b2713319e295f9024c77657b36bc2800d03ac39f7a4975b

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to known malicious infrastructure. The embedded URL, 'https://ttraff.cc/wix?keyword=companies+house+annual+accounts+template', is presented as a lure for 'companies house annual accounts template'. The PDF also exhibits characteristics of a link farm, with numerous external links, suggesting a broad distribution attempt. No scripts were extracted, but the primary malicious action is the redirection to a potentially harmful URL.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=companies+house+annual+accounts+template
- https://static.usrfiles.com/ugd/f17c08_45709df4e1d346f5948e55ee97f2fa18.pdf
- https://static.usrfiles.com/ugd/16a96a_138b279ab7174622b1b93394dd4e6eca.pdf
- https://static.usrfiles.com/ugd/e2c6c1_9dc451814d274b4fb06482135880f07f.pdf
- https://static.usrfiles.com/ugd/b8c837_42c352870c6d464aa2ba5c4fa26692ff.pdf
- https://static.usrfiles.com/ugd/735424_ab9c7d35912d4de4b85b635787a42357.pdf
- https://cdn.shopify.com/s/files/1/0428/3649/2444/files/40442814506.pdf
- https://cdn.shopify.com/s/files/1/0433/9138/5756/files/teardrop_tattoos_under_eye_meaning.pdf
- https://cdn.shopify.com/s/files/1/0429/8198/2361/files/puzejemagegozejukovudato.pdf
- https://cdn.shopify.com/s/files/1/0464/8914/1416/files/65948113942.pdf
- https://static.usrfiles.com/ugd/96768c_b6dde12a6d7e42e9994c002936a42e87.pdf
- https://static.usrfiles.com/ugd/2ca09c_d6b2383391e74eaeaae66cccd587ce9d.pdf
- https://static.usrfiles.com/ugd/913720_a0d5e0677d9f4135b41fec1f705003f7.pdf
- https://cdn.shopify.com/s/files/1/0462/6805/5714/files/61443898069.pdf
- https://cdn.shopify.com/s/files/1/0427/8976/5276/files/phonology_definition_linguistics.pdf
- https://cdn.shopify.com/s/files/1/0430/8877/3269/files/66330821031.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000090de.bin` `3b89a1333aa93e194de12c5c5da229a8f3a969ace6b07a90c5323b9ece6747ec`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x90DE	2828 bytes
`font_01_sfnt_off00009ad9.bin` `cafc1c9e2e709bdae980007199c262638b8c6887eaf2439c96ba0532e3640c01`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9AD9	4984 bytes
`font_02_sfnt_off0000ab9d.bin` `3195d18467cc587079471e18bf952b8e4bae87c3b6047af22badb03d49f101c5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAB9D	10556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.