PDF malware analysis — malicious · e512eb460d782d5e

MALICIOUS

PDF

36.1 KB Created: 2020-08-31 11:50:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8cabba10866c4c29d25ca3b0c76e18a1 SHA-1: 7a9a00dbeaaf47a8f9337051dd020291e2640f63 SHA-256: e512eb460d782d5e7ba91d0a07b8bab4e5e74ed024ae5e17f341dfff58a2a262

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass external PDF link farm, with multiple links pointing to static.usrfiles.com, and a critical heuristic firing for a malicious redirector link. The primary malicious URL, https://ttraff.cc/wix?keyword=pioneer+sa+05+stereo+amplifier, is likely intended to redirect the user to a malicious site. The document body, though partially garbled, contains text related to a 'Pioneer sa 05 stereo amplifier' and includes the malicious URL, suggesting a lure to a phishing or malware distribution site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=pioneer+sa+05+stereo+amplifier
- https://static.usrfiles.com/ugd/b8c837_cc315ba13a37423eb33f7e721aefa94c.pdf
- https://static.usrfiles.com/ugd/516793_659c13ea057b47b59d7d2145d615663d.pdf
- https://static.usrfiles.com/ugd/b8c837_779b68eb25c74137b70b912d9a4bf8a8.pdf
- https://static.usrfiles.com/ugd/d1c05f_9c3c9ba2f98b487382f54743a619751b.pdf
- https://static.usrfiles.com/ugd/f7fbc8_1e7b7025454c432f875c86221806e94b.pdf
- https://static.usrfiles.com/ugd/353d00_c5eb67b51afd400f9751137af11aa152.pdf
- https://static.usrfiles.com/ugd/b8c837_a51df91f8d024713a61498e21ac1ac1a.pdf
- https://static.usrfiles.com/ugd/89c6ad_208dd43da1804fd3bcdf225cbadf581f.pdf
- https://static.usrfiles.com/ugd/b8c837_4d1a1d37448548b1a9bbe40b3a861ae5.pdf
- https://static.usrfiles.com/ugd/fb5067_0c65ac33c4a643dea9c704177e324231.pdf
- https://static.usrfiles.com/ugd/b8c837_00f12b5f256a46199567452546e0d61c.pdf
- https://static.usrfiles.com/ugd/4bb894_abf92dfe3bdf463099b97bfd25e4060f.pdf
- https://static.usrfiles.com/ugd/374ce0_24e44ba9bb864fccbdcb4f9605ef8640.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004e8b.bin` `0abd3ab1101633eea6a70373650d073c28f99763a72edcd4cf1e9d63a56d9ec3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4E8B	5312 bytes
`font_01_sfnt_off0000607d.bin` `f7b5432ab458320f45fe44d03d0642f08b96f446acdfc1b75c6f4d9266126104`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x607D	10312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.