PDF malware analysis — malicious · d45c673860a2b8c9

MALICIOUS

PDF

36.2 KB Created: 2020-08-30 19:04:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8e608389b45bbda65b99ae49a8c5f151 SHA-1: 80372f410c2b989a89cb5b6f1c2e6aa84fc7221b SHA-256: d45c673860a2b8c9918f4f8235e169b19c9b9f972711248b077ad111b151c078

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary malicious URL identified is https://ttraff.com/wix?keyword=bujias+acdelco+para+aveo, which is flagged as a known malicious redirector. The document body, though heavily obfuscated, contains references to this URL and other PDF links, suggesting a link farm or SEO poisoning tactic to drive traffic to malicious sites. No scripts were extracted, and the family is unknown.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=bujias+acdelco+para+aveo
- https://static.usrfiles.com/ugd/b8c837_b54a9d3abc9d49a990bfec7a8d823e08.pdf
- https://static.usrfiles.com/ugd/b8c837_4888ca9a04c847228ff20eebe8ea2965.pdf
- https://static.usrfiles.com/ugd/b8c837_e261fc6a85604b87890c33fb52107b63.pdf
- https://static.usrfiles.com/ugd/cdb50c_47b21575ec9442a69b56ae97e3bc6d88.pdf
- https://static.usrfiles.com/ugd/b8c837_5156146dd94d42c391dd8b185ecb2520.pdf
- https://cdn.shopify.com/s/files/1/0433/3663/0422/files/performance_appraisal_essay_examples.pdf
- https://cdn.shopify.com/s/files/1/0431/5735/6710/files/92767090787.pdf
- https://static.usrfiles.com/ugd/b8c837_e0de796fada64556b4cb00baf59f5ec7.pdf
- https://static.usrfiles.com/ugd/3eed2b_8b85195a42fb455b866f908d4ff30229.pdf
- https://static.usrfiles.com/ugd/f96b02_2d69695c912849e888ff2e94e53cf014.pdf
- https://static.usrfiles.com/ugd/87a178_e913e34a15104be79e38264150768fcf.pdf
- https://static.usrfiles.com/ugd/bae363_6bb3e7ed1d124f6c9d0f63116c7accc3.pdf
- https://static.usrfiles.com/ugd/b8c837_9e0c5453f31348fdb61f172ffe9d506e.pdf
- https://static.usrfiles.com/ugd/5360f8_6bb1ae00ac144fe6b03bd15aa929e6cb.pdf
- https://static.usrfiles.com/ugd/24853a_8ca5316c5a184466ae60c54453fd7236.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000045c6.bin` `d0fb12650c012ec2d8f75a9eb4fe72c25fab4c32c375832359e3709f16bc958e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x45C6	4948 bytes
`font_01_sfnt_off000056a6.bin` `4db881c2e636a4e7155bba626b97f808a838527c21001c39dd1f989672aca1c4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x56A6	9132 bytes
`font_02_sfnt_off000075fa.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75FA	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.