PDF malware analysis — malicious · c539b561490c3411

MALICIOUS

PDF

44.5 KB Created: 2020-08-06 23:51:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3fcbc93b5f4f3f87c1da9aeae4d971ef SHA-1: ca588e0c18d35fbf070bb72fd126c26f58b04326 SHA-256: c539b561490c3411313eba0020355bdcd6a7728f1f53057da3f96816c2d67888

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to domains associated with link farms and redirectors. The primary malicious URL identified is ttraff.com, which is flagged as a malicious redirector. The document body, though partially obfuscated, contains the title 'Concept of chromophore and auxochrome pdf' and the malicious URL, suggesting a lure to a phishing or malware distribution site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=concept+of+chromophore+and+auxochrome+pdf
- http://files.omoroseblessings.com/uploads/1/3/1/8/131856446/zerifiperavoniz-firipaj.pdf
- http://fisasa.pineycreekbastrop.com/uploads/1/3/1/4/131407995/kajisomikutataj-gesagut-rowupuwage-fivatejasumew.pdf
- http://files.spanishconversation.net/uploads/1/3/1/8/131857465/2479217.pdf
- https://cdn.shopify.com/s/files/1/0436/9163/8934/files/disegafegapitutejeme.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/riwemabosemuridaredexe.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mejamuzeditika.pdf
- https://cdn.shopify.com/s/files/1/0436/4202/8182/files/4335490313.pdf
- https://cdn.shopify.com/s/files/1/0430/4224/2709/files/tawid.pdf
- https://cdn.shopify.com/s/files/1/0433/2398/1979/files/60765551108.pdf
- https://cdn.shopify.com/s/files/1/0431/4205/4048/files/zusewopal.pdf
- https://cdn.shopify.com/s/files/1/0435/2193/3466/files/65695127967.pdf
- https://cdn.shopify.com/s/files/1/0427/9923/5228/files/18271967224.pdf
- https://cdn.shopify.com/s/files/1/0433/8299/7148/files/dukajepa.pdf
- https://cdn.shopify.com/s/files/1/0430/5040/1945/files/bunub.pdf
- https://cdn.shopify.com/s/files/1/0436/9163/8934/files/96083941987.pdf
- https://cdn.shopify.com/s/files/1/0429/0707/4723/files/17185123582.pdf
- https://cdn.shopify.com/s/files/1/0432/7079/9510/files/42403050301.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000635e.bin` `06ed0a73f8a6f61afe3aa33f84dfb62ed5715f0795d946c9232f1aa592796077`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x635E	5108 bytes
`font_01_sfnt_off00007489.bin` `ed704b03b502e4d033e4cc15f88a11c9271c8905f9423a513569d2d483357d48`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7489	10092 bytes
`font_02_sfnt_off000096d1.bin` `a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x96D1	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.