PDF malware analysis — malicious · 39c620464936ce6e

MALICIOUS

PDF

42.0 KB Created: 2020-07-28 19:14:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 232a02c69f04ced15468f748b50d73cc SHA-1: 4a9bc2f0e2b5122b99402d76fd68063c6d01e305 SHA-256: 39c620464936ce6ef8d56b008e7c338a283fe0b348186176487d60161aef30bb

162 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious Link T1566.002 Spearphishing Link

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is used in a social engineering lure to trick users into updating their Chrome browser. It also contains a PDF link farm with numerous links hosted on Shopify, with one prominent example being 'cdn.shopify.com/s/files/1/0432/9200/0412/files/livujiw.pdf'. The document body, though heavily obfuscated, contains text fragments suggesting an update lure.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE

Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=update+chrome++free
- http://files.citytourstravel.com/uploads/1/3/0/7/130775331/gisafopiti_fubodirukad_bigizikexomalo_rixefotevutux.pdf
- http://files.northcountrylittlesblog.com/uploads/1/3/1/0/131069860/wirojanalikix.pdf
- http://files.freenovels.net/uploads/1/3/1/3/131398360/wunixur.pdf
- http://files.citytourstravel.com/uploads/1/3/0/7/1307753
- https://cdn.shopify.com/s/files/1/0432/9200/0412/files/livujiw.pdf
- https://cdn.shopify.com/s/files/1/0435/4513/3215/files/61590181603.pdf
- https://cdn.shopify.com/s/files/1/0431/7895/0810/files/66110288385.pdf
- https://cdn.shopify.com/s/files/1/0428/3459/1907/files/45786761917.pdf
- https://cdn.shopify.com/s/files/1/0437/8856/6680/files/girudoxixolone.pdf
- https://cdn.shopify.com/s/files/1/0427/5725/9420/files/gigib.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/84113106953.pdf
- https://cdn.shopify.com/s/files/1/0431/2072/2080/files/82362000959.pdf
- https://cdn.shopify.com/s/files/1/0437/5127/6696/files/5019708222.pdf
- https://cdn.shopify.com/s/files/1/0432/5651/2680/files/nurabuwukokokomikik.pdf
- https://cdn.shopify.com/s/files/1/0435/4303/6053/files/janulidatamosixe.pdf
- https://cdn.shopify.com/s/files/1/0429/9007/6057/files/fakegifabubudilinol.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000066ce.bin` `fbb59a35f5bb93b6fb8e57ac46cc6a45ef23e1d587327c262e159796b58b2cf7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x66CE	4812 bytes
`font_01_sfnt_off0000772a.bin` `d1e8a720c1b857109f166f79c15d1ea80c0c37ad736d58a8e810c520a101a03e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x772A	10564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.