PDF malware analysis — malicious · e70613d6d7c12823

MALICIOUS

PDF

49.9 KB Created: 2020-08-29 03:39:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 84219db6f65c920b38ed00c457811e4e SHA-1: ce79613c0470197406a7ee24f8b529fe92bbfea2 SHA-256: e70613d6d7c128231c4ec46ecded6555480283ef85f83be4e8bb10ad56869adb

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with the primary heuristic indicating a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL https://ttraff.cc/wix?keyword=bose+soundtouch+20+iii+review, which is flagged as malicious. The presence of a link farm suggests an attempt to manipulate search engine results or to distribute malicious content through a large number of seemingly benign links.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=bose+soundtouch+20+iii+review
- https://static.usrfiles.com/ugd/b8c837_423f1dee98b64e0db23e64b60ffe3dff.pdf
- https://static.usrfiles.com/ugd/b8c837_195e06c7da894170a91d6081932901e9.pdf
- https://static.usrfiles.com/ugd/b8c837_060f67faf6074162b371c8e9907f299d.pdf
- https://static.usrfiles.com/ugd/b8c837_8221df293f34443090efad4619acccae.pdf
- https://static.usrfiles.com/ugd/b8c837_def354568d19499382b813ed6743059c.pdf
- https://static.usrfiles.com/ugd/b8c837_e1973744e4844790b9d1f559f1a097b0.pdf
- https://static.usrfiles.com/ugd/b8c837_eb4fea33ec3547b69151513ee97c5c2e.pdf
- https://static.usrfiles.com/ugd/b8c837_bd7a737b79a64f16bd84e5ce8b452e61.pdf
- https://static.usrfiles.com/ugd/b8c837_c8ee3abb576b4557852bebcd4eb23a4c.pdf
- https://static.usrfiles.com/ugd/b8c837_391dbaf025494c4fb18dd754d7c318d8.pdf
- https://static.usrfiles.com/ugd/b8c837_32e17859efe84569b320a1a9966ec6cb.pdf
- https://static.usrfiles.com/ugd/b8c837_2fc8fa00ffa9422d9573937e99067c4f.pdf
- https://static.usrfiles.com/ugd/b8c837_8341131268b34d49abf5fd162fc899af.pdf
- https://static.usrfiles.com/ugd/b8c837_c2cdf11cf77d41e495478a8651f93925.pdf
- https://static.usrfiles.com/ugd/b8c837_d5d4cabc4dc1441cb65d253a026401b7.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000077b4.bin` `bdc15bd7f4405e43abfffc0d511413bfdeb0fc2098e14fc6808abeb619356aa5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x77B4	5144 bytes
`font_01_sfnt_off00008940.bin` `b744ad3d6205e446b740e52778d0196c6982247c6700d8e39d7a2db3b8abec47`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8940	10312 bytes
`font_02_sfnt_off0000ac87.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAC87	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.