PDF malware analysis — malicious · d95b6e1cdb088ee0

MALICIOUS

PDF

44.5 KB Created: 2020-09-02 07:26:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 737b8825b069f57f884b5d387f7be954 SHA-1: 1482dcf952997fa34df7d3b0f6894bbc0ac6df4b SHA-256: d95b6e1cdb088ee0ad5852c349e426d691a32fb6652a56b5c7265aa64e2e974d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body explicitly mentions 'Bitcoin faucet apk' and includes a URL pointing to 'ttraff.com', which is flagged as a malicious redirector. This suggests a phishing or scam attempt designed to lead the user to potentially harmful content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=bitcoin+faucet+apk
- https://static.usrfiles.com/ugd/d902bb_833e49eb6c8e41388cdcc39932ef353f.pdf
- https://static.usrfiles.com/ugd/2e16aa_4a60bfdd34034add8797b507976746bc.pdf
- https://static.usrfiles.com/ugd/67f5f7_5dd41b7a2a52460f86749a745ae7b69b.pdf
- https://static.usrfiles.com/ugd/234f58_459266a420b740ebac499fd96423b83e.pdf
- https://static.usrfiles.com/ugd/b8c837_6422be812c0c43898afed07fbb5b8c8e.pdf
- https://cdn.shopify.com/s/files/1/0428/5153/2963/files/11092083818.pdf
- https://cdn.shopify.com/s/files/1/0434/6200/0806/files/jujapeganifogavivipu.pdf
- https://cdn.shopify.com/s/files/1/0431/8940/3810/files/15813424877.pdf
- https://cdn.shopify.com/s/files/1/0427/9622/0572/files/24300591735.pdf
- https://cdn.shopify.com/s/files/1/0435/2730/7416/files/zugimafibozexa.pdf
- https://cdn.shopify.com/s/files/1/0438/4486/2114/files/guide_touristique_bretagne.pdf
- https://cdn.shopify.com/s/files/1/0438/0783/4272/files/26925433811.pdf
- https://cdn.shopify.com/s/files/1/0435/7790/1214/files/14483668794.pdf
- https://cdn.shopify.com/s/files/1/0431/1570/8580/files/82942820968.pdf
- https://cdn.shopify.com/s/files/1/0428/2214/0063/files/32949673850.pdf
- https://cdn.shopify.com/s/files/1/0434/0531/2154/files/mulovag.pdf
- https://cdn.shopify.com/s/files/1/0431/3546/7669/files/toferamalaxadiloz.pdf
- https://cdn.shopify.com/s/files/1/0440/8583/7989/files/eccentric_reducer_dimensions.pdf
- https://cdn.shopify.com/s/files/1/0438/8575/6568/files/business_environment_defined.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007165.bin` `f11e153a84079daef16fb4815c4c5c92299849ba39dc237f83d59608caad9336`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7165	4816 bytes
`font_01_sfnt_off000081eb.bin` `f408de00b4311b222b32069f734a86931ba3682459e63a423ed07577d52aa42c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x81EB	10336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.