PDF malware analysis — malicious · 376da0d7be3edde9

MALICIOUS

PDF

42.9 KB Created: 2020-08-02 15:37:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 987b34cdb3dff365c550b6616f693158 SHA-1: 75e86ecfd24d998f9610616fcceea3f951b91818 SHA-256: 376da0d7be3edde9ef7258e1e9610f145f531b8be943b1c7905f736713d686de

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains multiple heuristics indicating malicious intent, including a link to a known malicious redirector and a large number of embedded links designed to appear as SEO content. The document body explicitly mentions 'Activex for chrome' and instructs the user to install something, aligning with the 'SE_BROWSER_INSTALL_LURE' heuristic. The primary malicious URL identified is https://ttraff.ru/pify?keyword=activex+for+chrome, which likely serves as a gateway to further malicious content or malware.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE

Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=activex+for+chrome
- http://files.authorkmdylan.com/uploads/1/3/1/4/131437243/lilulowazodujotigo.pdf
- http://files.batheinbeaufort.com/uploads/1/3/0/7/130775180/sulavirofamuso-vulowavugakus-mewowalazezoje-befuz.pdf
- http://files.kevinanthonyhull.com/uploads/1/3/1/8/131871526/1b73f59aaef807.pdf
- https://cdn.shopify.com/s/files/1/0431/3320/6690/files/mclaren_mt_7.pdf
- https://cdn.shopify.com/s/files/1/0438/3119/7856/files/76063201256.pdf
- https://cdn.shopify.com/s/files/1/0429/1608/5923/files/86461457395.pdf
- https://cdn.shopify.com/s/files/1/0431/8271/9127/files/dedumatawoboko.pdf
- https://cdn.shopify.com/s/files/1/0445/3515/2804/files/aci_318_11_free_download.pdf
- https://cdn.shopify.com/s/files/1/0435/7311/7087/files/62419906077.pdf
- https://cdn.shopify.com/s/files/1/0433/8938/6901/files/karulekakasu.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/peregomosurexezobosezob.pdf
- https://cdn.shopify.com/s/files/1/0428/0962/2687/files/50476523901.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005e6e.bin` `2d33152505ff6d2f3395493268adac9fafe63b6ad4b257b90b7c917e1d8dc3be`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5E6E	4500 bytes
`font_01_sfnt_off00006db5.bin` `d7daaae85fb43b5a63e8ba3cabd081bab7856a1838916f752f54715e9b999781`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DB5	10420 bytes
`font_02_sfnt_off00009150.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9150	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.