PDF malware analysis — malicious · e4f5f6749c5a3173

MALICIOUS

PDF

46.4 KB Created: 2020-08-31 19:30:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 49b5234ab4eb80307e4ff09ffa5518f9 SHA-1: c0a79b1cf6a9d0c64e9dc8267b62fa56e5d12db6 SHA-256: e4f5f6749c5a3173215c827c8c0299cb04bccd99dba3b116bed90088955f2f05

128 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a link to a known malicious redirector, ttraff.com, which is likely used to obscure the final destination of the download lure. The document also features a mass external PDF link farm, with many links pointing to static.usrfiles.com, suggesting an attempt to create a link farm for SEO purposes to attract users searching for software like 'arcai netcut pro apk free'. The presence of a visual download button further supports the lure-based attack pattern.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=arcai+netcut+pro+apk+free
- https://static.usrfiles.com/ugd/b8c837_2df26a97b4c64eae930d8ae76ac9163c.pdf
- https://static.usrfiles.com/ugd/ab922d_8b5286fb4b6747d193369a9bc7021541.pdf
- https://static.usrfiles.com/ugd/eda9ba_b624af9200364a9e8e87ea82f265d8bb.pdf
- https://static.usrfiles.com/ugd/b8c837_e3c088c13cb04a428c58dfef8b604f5f.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/99324429390.pdf
- https://cdn.shopify.com/s/files/1/0431/6597/4690/files/timedowo.pdf
- https://static.usrfiles.com/ugd/07e02c_3d5d01502d10409992009d661110e2a2.pdf
- https://static.usrfiles.com/ugd/b98abb_17e6c6d9d56049ecaca8e04a299b4d3a.pdf
- https://static.usrfiles.com/ugd/b8c837_80e6448bd0a644cfa627e18fc30edf1b.pdf
- https://static.usrfiles.com/ugd/67f5f7_1e79f8e36802432689b475c3ed6d5645.pdf
- https://static.usrfiles.com/ugd/16a96a_1ea5d2667e0d47f287ae46fbea230b74.pdf
- https://static.usrfiles.com/ugd/be19e1_36b934adf8fd4e6096d39fefb52a091c.pdf
- https://static.usrfiles.com/ugd/9d869b_adbfaa29a18b44c4a61945c322748207.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006420.bin` `b103b680e09e70190f65c6750dac97eb2b55bdcef09db239bccd1cbfa355312e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6420	4852 bytes
`font_01_sfnt_off000074bc.bin` `c2edfdd34887f49c50e1b94f71b46f4bf96b19e8c15f5175007a77f996501f7a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x74BC	10004 bytes
`font_02_sfnt_off00009730.bin` `7ac25f4a2bf2c555c3f87c714243985d907f859cc4ca9b02d801ca62f0b97aa6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9730	16284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.