Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b846f5fe3314367…

MALICIOUS

PDF

44.7 KB Created: 2020-09-01 05:43:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8716462e3f0dc47d2fb945378707a034 SHA-1: 97ec96aad7c37f3b6f5e96983b055bb4934b54e3 SHA-256: 1b846f5fe331436790057e1e6df554519b14a9d894f6a00796973a49d24812a7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised as a medical guideline. This heuristic, combined with the presence of numerous other links to external PDFs, indicates a likely attempt to direct the user to malicious content. The document body, though heavily obfuscated, contains the URL that is also present in the heuristics and IOCs.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=heart+failure+escardio+guidelines
    • https://static.usrfiles.com/ugd/f09a9d_ed2ee602de7f4653897cc93659dfeb58.pdf
    • https://static.usrfiles.com/ugd/b8c837_cad43db45b0a4718bfa3e0fd8912180c.pdf
    • https://static.usrfiles.com/ugd/f3ecbe_9adaaeec52364b65b3a9aa8a93c7b06d.pdf
    • https://static.usrfiles.com/ugd/63d3ad_c8b9b0bdc54f440985a30768aba30d29.pdf
    • https://cdn.shopify.com/s/files/1/0432/0844/2020/files/36745049187.pdf
    • https://static.usrfiles.com/ugd/79e0dc_968eb93b79bd433c9fd5e9d19d72c115.pdf
    • https://static.usrfiles.com/ugd/97368a_303390597baa4adb9611f612f78a7257.pdf
    • https://static.usrfiles.com/ugd/2ca09c_dc4ee08b37dc4e0f8fc752c686a27f37.pdf
    • https://static.usrfiles.com/ugd/af0aa9_cd3c44b0b9a246a7ac973f663dd20f7a.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ad506e16d354203ab18ad88794e9d11.pdf
    • https://static.usrfiles.com/ugd/b8c837_65dd4643af9f455c84a9920ba3ddc9b8.pdf
    • https://static.usrfiles.com/ugd/9ea9b6_bf44d2255d25418ab0900aec36df6f5f.pdf
    • https://static.usrfiles.com/ugd/b8c837_ceb9385c38a94f67ae156edaa31c7a55.pdf
    • https://static.usrfiles.com/ugd/b8c837_012066c4100a4d72aa42819e8794940d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000718b.bin
85249bf71b0965e1d92fd802120b75f06da1ceb62a7eaf467f9769432dc21572		 pdf-font-stream PDF embedded font (sfnt) at offset 0x718B 5152 bytes
font_01_sfnt_off00008323.bin
8acb02f2aba2c27e87020093c7b8571bbcfd57983daf803c7ee15fd200269c7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8323 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.