PDF malware analysis — malicious · d90770a5a6d937ea

MALICIOUS

PDF

43.8 KB Created: 2020-09-01 03:46:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7c5dbe8e355073eb1c32b6c5b0370be5 SHA-1: c884aa973fa7915a7324dce6b6efa397d01cd667 SHA-256: d90770a5a6d937ea3a5643269c0ebfd97ea2274437ded1971494efb0222a79be

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is disguised with keywords related to 'Bitrise android app bundle'. The document also contains a large number of external links, many pointing to static.usrfiles.com, suggesting a link farm or redirection strategy. The presence of these links and the malicious redirector indicates an attempt to lead the user to a malicious site, likely for phishing or malware delivery.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=bitrise+android+app+bundle
- https://static.usrfiles.com/ugd/c63dba_264c4b3e7aec42a7b922d0f1873b8d1f.pdf
- https://static.usrfiles.com/ugd/b8c837_2606880d94ab4ba3a3e5ed797c6ddb17.pdf
- https://static.usrfiles.com/ugd/f0e51d_ecff6d9e5dba4f078e0a4b36a44a85f7.pdf
- https://static.usrfiles.com/ugd/b8c837_bb351efe6639463983164d0d75870432.pdf
- https://static.usrfiles.com/ugd/b8c837_3675fb5c98b3446fbc976eeab6f6743e.pdf
- https://static.usrfiles.com/ugd/f967ac_836ab2bf928f48849d3e09c3eecc1a18.pdf
- https://static.usrfiles.com/ugd/9e53d4_ff7eb61f610548539bac8cb71a090129.pdf
- https://static.usrfiles.com/ugd/32acb1_69113c46027f4dad8cec1ddc98cbb9a9.pdf
- https://static.usrfiles.com/ugd/b8c837_43733c1196504b1db6c4a34a0a534cd8.pdf
- https://cdn.shopify.com/s/files/1/0429/2247/5687/files/81214457030.pdf
- https://cdn.shopify.com/s/files/1/0431/7993/3862/files/bejogefalutujulivanasa.pdf
- https://cdn.shopify.com/s/files/1/0463/3005/2769/files/logical_fallacies_book.pdf
- https://cdn.shopify.com/s/files/1/0431/0407/5933/files/lagu_billfold_time_stafaband.pdf
- https://cdn.shopify.com/s/files/1/0432/4868/1120/files/kujunapawepebasipobigu.pdf
- https://cdn.shopify.com/s/files/1/0440/2891/9973/files/87595996796.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/581871399.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006096.bin` `c4eee56da829fc368877b54f9f5c943a0c63d0268fdffd9a2722648d82b48923`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6096	5024 bytes
`font_01_sfnt_off000071a8.bin` `dec8660e06ef8e8f505e2d03afed8411b94e9bc57c58942b9ba72070a07f3b4e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71A8	10264 bytes
`font_02_sfnt_off00009434.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9434	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.