PDF malware analysis — malicious · c3360c53a8c0eaed

MALICIOUS

PDF

39.0 KB Created: 2020-08-01 16:44:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 89fb6ac049a91bf48fd9d4b5764f0c87 SHA-1: a76af2f8cab6449dae0dcd77af42d833342dc84b SHA-256: c3360c53a8c0eaed8eb187f79c1d7b25c0b4507144ae98a55052c3b4e7a73bc8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external resources, indicating a link farm. One of the primary links directs to a known malicious redirector, ttraff.ru, which is likely used to obscure the final malicious destination. The document body, though heavily obfuscated, contains references to the redirector URL and other benign-looking URLs hosted on Shopify, suggesting a lure to disguise the malicious intent. The presence of numerous PDF links and a malicious redirector strongly suggests a phishing or redirection attack.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=mumford+and+sons+believe+lyrics
- http://files.behindthebars.org/uploads/1/3/0/8/130814279/kuratamifobuwuw.pdf
- http://files.fitupfabrication.com/uploads/1/3/1/4/131437474/jerafenawewiwubeper.pdf
- http://files.kellytuckercreates.com/uploads/1/3/1/6/131637419/nunolabux_gotevupuw.pdf
- http://files.futureprairie.com/uploads/1/3/1/4/131437725/porite.pdf
- https://cdn.shopify.com/s/files/1/0431/7596/8928/files/17042273550.pdf
- https://cdn.shopify.com/s/files/1/0434/7035/6637/files/39309231524.pdf
- https://cdn.shopify.com/s/files/1/0432/4117/7248/files/63301044253.pdf
- https://cdn.shopify.com/s/files/1/0429/9633/4753/files/49441028881.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gabagijujusudizal.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/39748763391.pdf
- https://cdn.shopify.com/s/files/1/0430/3290/3829/files/25089503964.pdf
- https://cdn.shopify.com/s/files/1/0433/5868/3291/files/18288123459.pdf
- https://cdn.shopify.com/s/files/1/0436/3524/5216/files/50740760092.pdf
- https://cdn.shopify.com/s/files/1/0432/5523/4710/files/53651906778.pdf
- https://cdn.shopify.com/s/files/1/0430/2562/9347/files/18359370922.pdf
- https://cdn.shopify.com/s/files/1/0431/6397/5835/files/jidexivuteg.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/91960476686.pdf
- https://cdn.shopify.com/s/files/1/0430/3123/2666/files/rolitezalojixogujuj.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005ac7.bin` `06f5903c1a4a85b09da948ecd1b1b99f21f2b6a74e980c5fc632cd34ed2eea2e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5AC7	5472 bytes
`font_01_sfnt_off00006d64.bin` `faeaaddebe1b2fc33c347397cf8e5981bcb01c81852d985b4fc86586cc4b0da0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6D64	9924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.