PDF malware analysis — malicious · de1b8a405a007433

MALICIOUS

PDF

42.3 KB Created: 2020-08-29 08:11:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e1fbffe10bf74ffc6ec3ad7ac47fe5ff SHA-1: a37c73caf1f87af39fd0c54022a42f2d9a54bbe3 SHA-256: de1b8a405a007433ec0498b6e5cd7b8eb118c16e9ad54af5adf81522748383bf

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to a URL that includes 'criminal case mod apk'. This suggests a social engineering lure to trick users into downloading malware. The document also contains a large number of embedded links, many pointing to static.usrfiles.com, which is flagged as a link farm. While the specific document body text is heavily obfuscated, the presence of the malicious redirector and the link farm strongly indicate a malicious intent to redirect users to harmful content.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=criminal+case+mod+apk+2.+30
- https://static.usrfiles.com/ugd/b8c837_9e6a3929249e468a8f60bc57758d863e.pdf
- https://static.usrfiles.com/ugd/b8c837_47b75c2ec8b442cbbc60aa9968ffe8a5.pdf
- https://static.usrfiles.com/ugd/b8c837_58663ce709c448bca39a3026dc301f13.pdf
- https://static.usrfiles.com/ugd/b8c837_b1ce17400d8f411baf3782022336e60b.pdf
- https://static.usrfiles.com/ugd/b8c837_70e854ce6a3d4db89aedaaf136a267a3.pdf
- https://static.usrfiles.com/ugd/b8c837_3482ed34fdb7459f902ab9680128dff8.pdf
- https://static.usrfiles.com/ugd/b8c837_a41edc31688c40e2b1253604609abc88.pdf
- https://static.usrfiles.com/ugd/b8c837_79205009721042c7a088d05b4efaf80a.pdf
- https://static.usrfiles.com/ugd/b8c837_35af7dd9d65044daa0d30a964da34ce1.pdf
- https://static.usrfiles.com/ugd/b8c837_663a55f8981a44bc82b73d35778bb442.pdf
- https://static.usrfiles.com/ugd/b8c837_ea145fc830984c73b15303f77353c4a6.pdf
- https://static.usrfiles.com/ugd/b8c837_ae1002feafd14e38a9b8b3d76a79c158.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000058a4.bin` `e17c3930f619d3339e05d61b0263fc5a535c0ac5aeda634f27f1a71a9a94e47a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x58A4	5484 bytes
`font_01_sfnt_off00006b18.bin` `557532b5e2b224dcdce63c0ebc8712ce2ad034cc533e538c78e97c31c9441a1d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B18	10360 bytes
`font_02_sfnt_off00008e91.bin` `a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8E91	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.