PDF malware analysis — malicious · f1e242c5ec6264fa

MALICIOUS

PDF

41.2 KB Created: 2020-09-02 08:12:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6d75d0c1266261a80cc1626a53ab970e SHA-1: e219b4e15aba7da2a97bd9ff04fc75e4da916db8 SHA-256: f1e242c5ec6264fa1e94c87cf679f6042c2668ec9840da13a24573d773c82a96

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL and appears to be a lure related to 'fur elise full music sheet'. The presence of numerous other PDF links, many hosted on 'static.usrfiles.com', suggests a link farm or redirection strategy. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to a phishing or malware distribution site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=fur+elise+full+music+sheet
- https://static.usrfiles.com/ugd/b910ae_206e0e9866b84df2bb2d293c466d1efb.pdf
- https://static.usrfiles.com/ugd/ae059d_a1b12c8a2409442ca0d6eeadd97efb9e.pdf
- https://static.usrfiles.com/ugd/a382ee_03ad555d212e42cc8dfa9b9aebda8755.pdf
- https://cdn.shopify.com/s/files/1/0437/1903/3000/files/mefejunezuwav.pdf
- https://cdn.shopify.com/s/files/1/0427/8360/4903/files/wozujef.pdf
- https://cdn.shopify.com/s/files/1/0439/1898/3323/files/frontline_magazine_september_2020.pdf
- https://cdn.shopify.com/s/files/1/0427/7954/1671/files/ranurujevukipexazide.pdf
- https://static.usrfiles.com/ugd/74a852_2743fba3d47c47d69c48cb80f0e225c2.pdf
- https://static.usrfiles.com/ugd/b8c837_c13b45e92b394b66b261376c780a65d5.pdf
- https://static.usrfiles.com/ugd/0d2fda_a8e401cf98814947985fde80ff1d384c.pdf
- https://static.usrfiles.com/ugd/fa32a6_42a3cf344a174f3e94c4c0593f5372ae.pdf
- https://static.usrfiles.com/ugd/10e3af_996905aca2c14d5a88a2731a427cfd5b.pdf
- https://static.usrfiles.com/ugd/6846fe_2e937e333f354cd79e62ff7db1433189.pdf
- https://static.usrfiles.com/ugd/35dc59_1b58ffea67c140d3a2702d81de3024cf.pdf
- https://static.usrfiles.com/ugd/285be4_18a39275c8f44a9c9eb0948cffd506ba.pdf
- https://static.usrfiles.com/ugd/c3f88d_08de73a7ef6348f4ab02224adda1a6ac.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004f7f.bin` `90f6b22e94890040620d8022891c92e2d1d85a882ebae20820390479e3d2f17b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4F7F	4864 bytes
`font_01_sfnt_off00005fe4.bin` `902c6469d2804ce48979c44cd9702e24beef942dfcd36b9de0592b3e610fa2ef`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5FE4	10164 bytes
`font_02_sfnt_off000082ea.bin` `b330339415d7fa9c1b652c1fb2a052ec06569061b7b71506ab53161dc9b94742`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x82EA	16100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.