Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a6f6a3390f8a310…

MALICIOUS

PDF

154.0 KB Created: 2020-08-29 22:09:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 36b144079a8004bd51ecfa1d2714d911 SHA-1: 32a17a6063ed21f32f42830ee21af20d340e8deb SHA-256: 1a6f6a3390f8a310955fcbdef6b7a4b4a34ac368323371b6b9a6b75bf8d3bf73
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is flagged as a critical finding. The document body, though heavily obfuscated, appears to contain the same malicious URL. The presence of a visual download button further supports a social engineering lure. The overall pattern suggests a phishing attempt designed to redirect users to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=osha+flammable+storage+cabinet+regulations
    • https://static.usrfiles.com/ugd/b8c837_e4b728b8f34e4bc4b63c6ee87bb3e84a.pdf
    • https://static.usrfiles.com/ugd/b8c837_a83d4616e8a249219a4675ee11e3f3c7.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_a6c96a77b83c4a8f92d96d27ad6d45df.pdf
    • https://static.usrfiles.com/ugd/b8c837_dfc587d6c35a4f17877ed0369fc95c21.pdf
    • https://static.usrfiles.com/ugd/b8c837_f75bd20688a340b8bd166cdcea3d0ce6.pdf
    • https://cdn.shopify.com/s/files/1/0429/1464/4127/files/nulameruso.pdf
    • https://cdn.shopify.com/s/files/1/0429/9148/5091/files/hindu_baby_boy_names_starting_with_k.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa3f79f315344e1b9542d8b04c15f966.pdf
    • https://static.usrfiles.com/ugd/b8c837_73340e03bf734e0db3ff44b49dbedbd9.pdf
    • https://static.usrfiles.com/ugd/af0aa9_34a08e6d250846448f0a6db8c7fe26eb.pdf
    • https://cdn.shopify.com/s/files/1/0434/0521/3847/files/zumefoxonakuv.pdf
    • https://cdn.shopify.com/s/files/1/0431/0971/2021/files/lokexo.pdf
    • https://cdn.shopify.com/s/files/1/0434/3077/2901/files/83935914211.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000223ea.bin
7f7054bcd18c7a20624f8786620fc832ce97024cddb9770243783908c752b453		 pdf-font-stream PDF embedded font (sfnt) at offset 0x223EA 5464 bytes
font_01_sfnt_off0002365b.bin
aca2864a284fe7d00ddb690de51b95c04925870fa7b4642d8c9749f7636d481c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2365B 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.