PDF malware analysis — malicious · fd25b450734a131a

MALICIOUS

PDF

66.0 KB Created: 2020-09-01 09:43:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3ffd55058109aabe9389985114cd8699 SHA-1: 4b870d950b0c20706667f67bfb1931e4f235c826 SHA-256: fd25b450734a131a60c15b5566a8a68ab812350673c316f627c256a9fba57d84

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains embedded links that lead to a redirector service. The primary link, disguised as a Cisco access point datasheet, points to 'https://ttraff.link/wix?keyword=cisco+access+point+3802i+datasheet'. This redirector is flagged as malicious. The document also contains a large number of other links, many pointing to Shopify, which is characteristic of SEO poisoning or link farm tactics to obscure the malicious destination. No scripts were extracted, but the presence of malicious redirector links strongly suggests a phishing or social engineering attack.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=cisco+access+point+3802i+datasheet
- https://cdn.shopify.com/s/files/1/0431/6554/8708/files/appropriate_methodology_and_social_context.pdf
- https://cdn.shopify.com/s/files/1/0431/0623/8613/files/nubijiwuserawedupe.pdf
- https://cdn.shopify.com/s/files/1/0432/3033/1040/files/interviewer_checklist.pdf
- https://cdn.shopify.com/s/files/1/0434/6318/0454/files/xbox_game_speech_windows_uninstall.pdf
- https://cdn.shopify.com/s/files/1/0434/3165/7621/files/xopezipifaxivilu.pdf
- https://static.usrfiles.com/ugd/b8c837_1a844f21c1624ec0968bceebf0a1ccdb.pdf
- https://static.usrfiles.com/ugd/67e251_bb2fd44e8a3742bd830bd3c539b6bc97.pdf
- https://static.usrfiles.com/ugd/87fdc7_5658ce81ecd34aab9bf46941f2382465.pdf
- https://static.usrfiles.com/ugd/1849a1_f4a3b7929bf548b083bcf78a59281c22.pdf
- https://static.usrfiles.com/ugd/b8c837_1090561acb51407e9a75fb0299b9f7d8.pdf
- https://static.usrfiles.com/ugd/b8c837_2b67de8ac186408984b0f9405165d63d.pdf
- https://static.usrfiles.com/ugd/3aee12_46bb702d2e36450889f8f70db53c57c3.pdf
- https://static.usrfiles.com/ugd/4bdc6d_50acfbb58fd34c0a9fd0104c40bc1c63.pdf
- https://static.usrfiles.com/ugd/b8c837_89ad23fa5c5d4c0ca8e745aeb109c8d4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a990.bin` `36bde427d5c67dd36a294f9b7cc71eef77021e888d6ddf7671e1b24b0110ce07`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA990	5476 bytes
`font_01_sfnt_off0000bc1e.bin` `4277ed0594b1f8f8e3288e65f1b92c46e2cf7e777f92bd1c803cdc9fc86fc05d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBC1E	15888 bytes
`font_02_sfnt_off0000ecd5.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xECD5	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.