PDF malware analysis — malicious · e7a14af5794316a4

MALICIOUS

PDF

50.9 KB Created: 2020-09-16 21:30:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 426be2dc5023b73bfc4b774f9681b477 SHA-1: 0bf6b6b287a500303e28b05fd26e898a14c6a4d8 SHA-256: e7a14af5794316a4426c1c7530ebbc2f773ca6b6ef84bb45ed31694961ffbba8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a specific malicious redirector URL, indicating a phishing or redirection attempt. The document body, though heavily obfuscated, contains the URL https://ttraff.club/wix?keyword=sewing+machine+1800s+facts, suggesting a lure related to sewing machines to entice users to click the malicious link. The presence of numerous PDF links points to a link farm strategy to distribute malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=sewing+machine+1800s+facts
- http://xapekuwef.farhadsworldwideblog.com/uploads/1/3/1/8/131857144/rukisakuw.pdf
- http://files.kyrps.org/uploads/1/3/1/4/131407138/batalinimi-femikuwuwagit.pdf
- http://xevot.firstresponsetacticalsystems.com/uploads/1/3/1/6/131636947/retapirapox.pdf
- http://dilezetit.thisgirlstees.com/uploads/1/3/1/6/131637503/pazukerivilevejulip.pdf
- https://dd63a06c-13e9-483c-b363-c3dd11e32203.filesusr.com/ugd/de3d83_0e317a1bf8554044bba47f495abe4548.pdf?index=true
- https://3e0ce258-1d82-4aca-ae05-8f6f2daa596f.filesusr.com/ugd/f9d4cd_70efaf4d94a84a5aa34e54ac947aa1ee.pdf?index=true
- https://983463f6-32e1-40f7-ba2f-74c94d163f9d.filesusr.com/ugd/296484_7460f512c28d454d8b6452fbe155ffed.pdf?index=true
- https://a01039c8-fa4a-40eb-a732-e2db6ec46220.filesusr.com/ugd/96564c_c648bef43c65424bb0311029533f7393.pdf?index=true
- https://52f245b1-ad07-48d9-9aa6-919e90db023d.filesusr.com/ugd/43d2fc_4fe3d59f425341c6a8e2aee9ab8918c2.pdf?index=true
- https://fec73f6d-4505-40a4-b491-b4a84ae0f3bb.filesusr.com/ugd/6a7407_14b6691a0028468e8ee252f950acb60e.pdf?index=true
- https://c29e540f-1bf2-4887-bee7-331c0e4b131b.filesusr.com/ugd/69695d_82e8f284a3ee47c0a251b29f6ae9f8a1.pdf?index=true
- https://b0a8d407-9aac-4f23-8dfc-8bc191e72acc.filesusr.com/ugd/c638b7_92d3bc61e37d4945bfc746a6ed0b0997.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007a24.bin` `84c0f014f8c2e63455b7b41c26f36663bd19bcbd23fce0a490fd46e727bd1849`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A24	5428 bytes
`font_01_sfnt_off00008c80.bin` `0e1367f6f344ad19c26315fd0f8f94b701ae3dfc02aca529322ee4f097a00a6a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8C80	10632 bytes
`font_02_sfnt_off0000b0ab.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB0AB	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.