Malicious PDF — malware analysis report

Static analysis result for SHA-256 1bcc3f9440722e3d…

MALICIOUS

PDF

50.8 KB Created: 2020-08-30 21:56:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 587b0ac14dc78ae3030d8d6ca7eba96d SHA-1: 2355b02cdff60d2ce10b4f165786bcfe56c3bb9a SHA-256: 1bcc3f9440722e3dc1bb5f15ef19057f4cb1ebcca48948a3cab23e24f4e0ce28
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=medical+terminology+for+nurses'. This URL is likely intended to lead the user to a malicious site. The document also contains a link farm heuristic, indicating a large number of external links, with the first being 'https://static.usrfiles.com/ugd/9e53d4_fdfe25d24530488281b7fd1006d9df4c.pdf'. The document body, though partially corrupted, contains text related to 'Medical terminology for nurses' and the malicious URL, suggesting a lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=medical+terminology+for+nurses
    • https://static.usrfiles.com/ugd/9e53d4_fdfe25d24530488281b7fd1006d9df4c.pdf
    • https://static.usrfiles.com/ugd/9cb927_4b786972f9bb46ec8a294aed53bb0fc6.pdf
    • https://static.usrfiles.com/ugd/4b68be_e1ae84aa7cb84c8494640947c1c24678.pdf
    • https://static.usrfiles.com/ugd/b8c837_e4528cdedf9f4bfa8a790608bcd52e69.pdf
    • https://static.usrfiles.com/ugd/b8c837_7db30c22d794484f9432cd9a2a448ddc.pdf
    • https://static.usrfiles.com/ugd/0c268c_dcf12171730d419f98f56ed6e9a724b7.pdf
    • https://static.usrfiles.com/ugd/b8c837_66d471974631470d906d39d0ad24135d.pdf
    • https://static.usrfiles.com/ugd/b8c837_c4d5a6f8fc114c37a8460fbd3a5fed15.pdf
    • https://static.usrfiles.com/ugd/b8c837_a6ca1f5a16b04905a656077c5c3cbf9c.pdf
    • https://static.usrfiles.com/ugd/b8c837_1053edf0e1d8419aaa6158287312581e.pdf
    • https://static.usrfiles.com/ugd/b8c837_1467a39025ce4bce8b4f3f68e8e28027.pdf
    • https://static.usrfiles.com/ugd/d5cf39_c82ee83048ed48f8a97ee882ac0672d6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f96.bin
61212cccc12e2daad601c38c6248ab0c6e5088670b45b493c597c6a1ae032759		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F96 5328 bytes
font_01_sfnt_off000081a2.bin
432423131cbc79d377c63f11df97570b2d8397da04c2cabc36fa65ed26176b08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81A2 14716 bytes
font_02_sfnt_off0000b056.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB056 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.