PDF malware analysis — malicious · d615c50250641e79

MALICIOUS

PDF

37.7 KB Created: 2020-08-29 12:32:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 624a485091851899130780c949e51512 SHA-1: 32f6572754f2508edb6ca7fe3ee3fbe14833f71f SHA-256: d615c50250641e7966d037cb78bea1fbe91e6a75617f40e7300e5943ed742989

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded links, with one critical heuristic identifying a malicious redirector. This redirector points to a URL that appears to be part of a link farm, ultimately leading to a PDF file. The presence of a 'download button' lure further supports the malicious intent of directing users to external content. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=download+free+gospel+ringtones+andro
- https://static.usrfiles.com/ugd/b8c837_30cb042ba4c64936a8b54a2c79307bd8.pdf
- https://static.usrfiles.com/ugd/b8c837_77c4e19d127b4fa2b44f8016770c2a6a.pdf
- https://static.usrfiles.com/ugd/b8c837_b0475a3801464942af14b71f50fe77e2.pdf
- https://static.usrfiles.com/ugd/b8c837_0179b0bcc59a46aba26ee43047f04682.pdf
- https://static.usrfiles.com/ugd/b8c837_032545bc579f4844a2adcab88841ae67.pdf
- https://static.usrfiles.com/ugd/b8c837_de72f55ec117407cbe967f743b2b15d8.pdf
- https://static.usrfiles.com/ugd/b8c837_039eb785c3ad49aeba5a0d4b715387a2.pdf
- https://static.usrfiles.com/ugd/b8c837_d955ac929c9a403996eb6f51d1bd0fc0.pdf
- https://static.usrfiles.com/ugd/b8c837_a4828b92555b41358da5203a94787f42.pdf
- https://static.usrfiles.com/ugd/b8c837_a3c3082f7c82491f8803818f1078a616.pdf
- https://static.usrfiles.com/ugd/b8c837_7b12ea54676b4fd69226921cd694a7aa.pdf
- https://static.usrfiles.com/ugd/b8c837_2d49632ee9294ca1a27a9e31d8779245.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004c1a.bin` `d93ebd2870edd8691129041449ddee0a56ea6f0a5a6d90cdc1bd0245516dba57`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4C1A	5300 bytes
`font_01_sfnt_off00005e40.bin` `d780f4bba6b8e08faa0a4c098f672809ff0fd59e08a38c6e5a2277341320f8d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5E40	2216 bytes
`font_02_sfnt_off0000684e.bin` `3f2c956c4c1eccb454241aab1d6803a199569ce109dd8fe67392275c031176e3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x684E	9744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.