PDF malware analysis — malicious · dabd7eebf5d6fdb0

MALICIOUS

PDF

60.1 KB Created: 2020-09-07 11:49:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 861a77f6f4336273bd69a78bc725f5ab SHA-1: 74cfa5d259c325b5b967cfaff3953612bab798e1 SHA-256: dabd7eebf5d6fdb00e2ae4571c36e6e7160f9126d136ab5055e1af4b616283a8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=cbo+full+form+in+designation'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with 'https://static.usrfiles.com/ugd/c3f59f_74eb6e0730e24fd1b697de125839efb6.pdf' being the first identified. The document body, though heavily obfuscated, contains text related to 'Cbo full form in designation' and the malicious URL, suggesting a lure to a malicious site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=cbo+full+form+in+designation
- https://static.usrfiles.com/ugd/c3f59f_74eb6e0730e24fd1b697de125839efb6.pdf
- https://static.usrfiles.com/ugd/b52961_1ad2cc9060bf477d96c8ca06e83d92a9.pdf
- https://static.usrfiles.com/ugd/b8c837_2e001332d39b4cd69e54935833f64099.pdf
- https://static.usrfiles.com/ugd/917232_291e6013a671410a91fdb5222a85559f.pdf
- https://cdn.shopify.com/s/files/1/0434/2913/4501/files/bilixufujexuloteg.pdf
- https://cdn.shopify.com/s/files/1/0432/6565/4939/files/75573303550.pdf
- https://cdn.shopify.com/s/files/1/0428/1607/7991/files/94166673167.pdf
- https://static.usrfiles.com/ugd/941881_cd6ad9270d4c4703b98896561a743550.pdf
- https://static.usrfiles.com/ugd/113e89_a7e6603f1ce44704afb8103be7033f58.pdf
- https://static.usrfiles.com/ugd/b8c837_aeff4ba2c74d4a128f8b9975cb84a643.pdf
- https://static.usrfiles.com/ugd/12f4eb_f034a2298c7f4cc89d51f411bf43022a.pdf
- https://static.usrfiles.com/ugd/70a38d_97051e4f443a4fd997caf25b10efb01d.pdf
- https://static.usrfiles.com/ugd/bcd086_812be8de6bc74914bc6e90185d78a982.pdf
- https://static.usrfiles.com/ugd/45fd81_3c31bbd357454deabd467d15c92cd559.pdf
- https://static.usrfiles.com/ugd/f4de5e_d975fd14c6ad4da5b818135491ee3165.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000093b0.bin` `f9ba9226d79f9ab3d744a81b568ee458ef23f3afe01e39879dd08d43dab2693c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x93B0	5272 bytes
`font_01_sfnt_off0000a57c.bin` `5b02cfb1f7ac71fd468e5c0f8a54e94ba372e8ff8edf24317a3ebcdd3e574dba`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA57C	15020 bytes
`font_02_sfnt_off0000d360.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD360	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.