PDF malware analysis — malicious · f7f7845fe86e6e2c

MALICIOUS

PDF

68.5 KB Created: 2020-09-02 01:14:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 90d39fb461ee8a4aeb1d23ce213c2414 SHA-1: cd6bdb04ff1df9b5a9a5b30b16980c724ee0d80d SHA-256: f7f7845fe86e6e2ca8cab1b2156d94ee367ec75dc02f08bc6eb98d2b1c5fdfab

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits a PDF link farm heuristic, indicating a large number of outbound links, many of which are to 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/wix?keyword=antenatal+hydronephrosis+ispn+guidelines', reinforcing the malicious redirector finding. This suggests the document's primary purpose is to redirect users to a malicious site, likely for phishing or malware delivery.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=antenatal+hydronephrosis+ispn+guidelines
- https://static.usrfiles.com/ugd/d54300_90c7e9e260ed4dbf8db06289814d4129.pdf
- https://static.usrfiles.com/ugd/ac72e0_c3bdaef4d5234b10a6177e8ec114fb7c.pdf
- https://static.usrfiles.com/ugd/e73fea_74ddc58884e442c5a87ebfaed609ecf5.pdf
- https://static.usrfiles.com/ugd/b8c837_15e5dbee264b4189aa6fe418169d5cbb.pdf
- https://static.usrfiles.com/ugd/4e6dd5_989c178927814bd784f5d64cfda40e22.pdf
- https://cdn.shopify.com/s/files/1/0436/6001/7814/files/datamenekoxubapuluvajulez.pdf
- https://cdn.shopify.com/s/files/1/0430/0383/8615/files/clorox_disinfecting_wipes_fresh_scent_sds_sheet.pdf
- https://cdn.shopify.com/s/files/1/0428/9291/8947/files/81864214371.pdf
- https://static.usrfiles.com/ugd/e32576_72f43149c2084e5280848274740f2548.pdf
- https://static.usrfiles.com/ugd/8b49c6_4d0c0eb22c8348b88b0feffd0d98a83e.pdf
- https://static.usrfiles.com/ugd/eb4c03_742a76c638f5402a93e6efc2015fb9ad.pdf
- https://static.usrfiles.com/ugd/c1c462_d1eed7049a774b129c2ffb7402f3677e.pdf
- https://static.usrfiles.com/ugd/7a11b0_96db9b5a15cf4585ba830c2633f0dec5.pdf
- https://cdn.shopify.com/s/files/1/0433/7372/3800/files/65550129054.pdf
- https://cdn.shopify.com/s/files/1/0434/2421/9293/files/konogo.pdf
- https://cdn.shopify.com/s/files/1/0427/7056/3239/files/baronepisajaj.pdf
- https://cdn.shopify.com/s/files/1/0463/2861/0971/files/22898045900.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ca7c.bin` `617fea1f60dac7c432890578389dd250e7dc4f9ad5d9d01c929963bb485c8d93`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCA7C	5312 bytes
`font_01_sfnt_off0000dc8c.bin` `2a4fe1a2b0e3bc6d03cda5f769c8b0132b097e37cdbafdebaafd0dd3b0869e84`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDC8C	12448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.