Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f991fcc2112fca4…

MALICIOUS

PDF

42.6 KB Created: 2020-08-23 03:19:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 67caee286c3c48acbe7952068a62097b SHA-1: 452001f21a1a3b93abeeedc9478f153e5214a5ca SHA-256: 1f991fcc2112fca49f5a6a192c39b543a7e0c468ecefdbf503147a3fe354ee91
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a known malicious domain, ttraff.com, which is likely used for phishing or malware distribution. The document body and embedded URLs suggest a lure related to 'American college of cardiology guidelines 2018' to entice users to click the malicious link. The presence of numerous other PDF links, many hosted on Shopify, indicates a link farm strategy to obscure the final malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=american+college+of+cardiology+guidelines+2018
    • http://files.shorewoodmovingforward.com/uploads/1/3/1/8/131871699/savuzimafud.pdf
    • http://files.lifeunshattered.com/uploads/1/3/2/6/132695472/5072812.pdf
    • http://files.kwitoskiandassociates.com/uploads/1/3/1/4/131438211/wanavovajoben-fuzumibufam.pdf
    • http://semejuv.sunday.ca/uploads/1/3/1/3/131383544/vidikefunajeserod.pdf
    • http://files.diamynscrystalbar.com/uploads/1/3/1/4/131408942/3878326.pdf
    • https://cdn.shopify.com/s/files/1/0430/5692/2777/files/13235785213.pdf
    • https://cdn.shopify.com/s/files/1/0429/3161/7945/files/regizugodef.pdf
    • https://cdn.shopify.com/s/files/1/0433/6710/4664/files/chakori_video_song.pdf
    • https://cdn.shopify.com/s/files/1/0432/8502/0827/files/kerboodle_answers_spanish_aqa_a_level.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/picard_facepalm_ascii.pdf
    • https://cdn.shopify.com/s/files/1/0430/9513/0266/files/animehd47_naruto_shippuden.pdf
    • https://cdn.shopify.com/s/files/1/0435/2940/4567/files/36896783110.pdf
    • https://cdn.shopify.com/s/files/1/0435/6761/2063/files/janujogopewilebu.pdf
    • https://cdn.shopify.com/s/files/1/0432/9259/0236/files/45112015430.pdf
    • https://cdn.shopify.com/s/files/1/0440/7951/3752/files/mamerekedezofovekole.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006766.bin
d40565e81fd9df29c02855ab5fa64a36c1ba670c3555983a96aaf07e7d2c5982		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6766 5952 bytes
font_01_sfnt_off00007b8a.bin
735c78909a70f83d2186b13552fbb676a589ee8b25e52d46ab31b6fc343b72ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B8A 9860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.