Malicious PDF — malware analysis report

Static analysis result for SHA-256 19cc0d464f3ba87f…

MALICIOUS

PDF

46.6 KB Created: 2020-08-30 05:05:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9586fbdb771ebc616c4d3e62ee72aba5 SHA-1: de3c21ff3aa78b6177210b1d4a73a0c3249a7d54 SHA-256: 19cc0d464f3ba87f602b93f9c4954f404d745971de9c288cdfc6a4fd8ac4f3f6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains text fragments that appear to be related to Windows updates, suggesting a social engineering lure. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm strategy, likely to obscure the ultimate malicious destination. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=windowsupdate_00009c59+windowsupdate_dt000+suggestions
    • https://cdn.shopify.com/s/files/1/0427/4411/9462/files/how_to_reduce_bullying_in_schools.pdf
    • https://cdn.shopify.com/s/files/1/0429/5963/4591/files/1656029958.pdf
    • https://cdn.shopify.com/s/files/1/0430/2074/6906/files/eat_stop_eat.pdf
    • https://cdn.shopify.com/s/files/1/0435/7177/3601/files/xiwivifisixilom.pdf
    • https://static.usrfiles.com/ugd/b8c837_b17ce93c91c3442898b4e0ee7fd53639.pdf
    • https://static.usrfiles.com/ugd/2f8cea_e48ddab9157145b9932779501014a8ed.pdf
    • https://static.usrfiles.com/ugd/493135_eb41560fe7bd49bb931a8a07b17c2ee3.pdf
    • https://static.usrfiles.com/ugd/b8c837_5ebc31fccf7147f5b53ae8a6e3b817d9.pdf
    • https://static.usrfiles.com/ugd/b0b521_d3f890c9cc8b404c8314d0547e338799.pdf
    • https://static.usrfiles.com/ugd/b8c837_fba881b756674e429f852991f1cceaf2.pdf
    • https://static.usrfiles.com/ugd/b8c837_9880d44713564552aaa1cb6ddcb2704f.pdf
    • https://static.usrfiles.com/ugd/b8c837_e1883669ff4c45148f125acd4cf4194b.pdf
    • https://static.usrfiles.com/ugd/7f46b5_4d69fbc831b749c9aecc4c0df80cd9b4.pdf
    • https://static.usrfiles.com/ugd/b8c837_61e9ac62fda44b49bbb4f0c32d5f05b1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/ugd/b8c837_b17ce93c91c344289

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069e4.bin
d1ea20b10f0f4e728a0f41959e359a8d19b1b69122a45e7c44187f50a2ffc980		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69E4 5668 bytes
font_01_sfnt_off00007d6c.bin
bb38e49bc5e3acca7512c3a814a29dabef83b4b0fe3004abbf9fccd7e500aa5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D6C 15636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.