PDF malware analysis — malicious · 39c967895452670a

MALICIOUS

PDF

55.7 KB Created: 2020-08-29 23:40:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 852e83fdf6852c0c0f8817cd8c20229e SHA-1: 8e6dc80efd5af045f469331beb43631c57272600 SHA-256: 39c967895452670a176a1cae4291d043769e24ece4405d1a66c0c759018348db

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, a common tactic for SEO link farms and redirecting users to malicious sites. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is likely intended to lead the user to a phishing or malware download page. The document body, though heavily obfuscated, contains the URL that triggered the heuristic, reinforcing the malicious intent. No scripts were extracted, but the PDF structure itself is used to facilitate the malicious redirection.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=bezpe%25C4%258Dnost+kr%25C3%25A1je%25C4%258D%25C5%25AF+potravin
- https://static.usrfiles.com/ugd/576447_3b0c9172b7374671b1a31783e8d6a5b0.pdf
- https://static.usrfiles.com/ugd/d01287_772e3e18d6c34df4b13f6f014a9f53ad.pdf
- https://static.usrfiles.com/ugd/b8c837_f63fa5da256941cfae0d6e715e33bf67.pdf
- https://static.usrfiles.com/ugd/0779a3_af31765e784541319b77f48c2f3c1fda.pdf
- https://static.usrfiles.com/ugd/b8c837_1de383fdc8ff445f9343ab234c04cb5e.pdf
- https://cdn.shopify.com/s/files/1/0432/3888/3485/files/judefapujo.pdf
- https://cdn.shopify.com/s/files/1/0433/7955/6504/files/how_were_the_12_apostles_martyred.pdf
- https://cdn.shopify.com/s/files/1/0433/1785/4366/files/signpost_words.pdf
- https://cdn.shopify.com/s/files/1/0436/7689/3334/files/sesivenezibanitewid.pdf
- https://static.usrfiles.com/ugd/83b1b3_51da31253c4f46b7a728b7d486b3cea0.pdf
- https://static.usrfiles.com/ugd/b8c837_b8c4c6b8ac9e40a89c928cd2f02856af.pdf
- https://static.usrfiles.com/ugd/b8c837_3613a9d2513a4ce6bbefef911945bafe.pdf
- https://static.usrfiles.com/ugd/cd79e3_521218ee53524afb89b1a72bba970899.pdf
- https://cdn.shopify.com/s/files/1/0427/9799/0055/files/33373319882.pdf
- https://cdn.shopify.com/s/files/1/0437/2309/6216/files/28682727010.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000082d2.bin` `b91c48d6323e468576a2efe054e4a715ca4200d5ad814314a38f1b45144829dd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x82D2	5648 bytes
`font_01_sfnt_off00009560.bin` `2ff5a91ea7d93546b02959e2fd3eea65d3a75ed7cb308c3f86f6618cdc48d0d8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9560	12604 bytes
`font_02_sfnt_off0000bb2b.bin` `d7c0313d84b709fe8a6a90baca56b34c20eeda1db47cffc02c31991c89a68c0d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBB2B	16080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.