Malicious PDF — malware analysis report

Static analysis result for SHA-256 200a0b7123764ffb…

MALICIOUS

PDF

42.9 KB Created: 2020-07-27 04:41:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 43ed3df5d8398508733aa7a6631ad91b SHA-1: 7947dc5a1862d7480959fbd28334a860521364ee SHA-256: 200a0b7123764ffb8192a9064c78e98efc8fdff075ee46397668c05e8e156198
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.com'. Additionally, it exhibits a PDF link farm heuristic, embedding numerous links, many hosted on Shopify. The document body, though heavily obfuscated, contains keywords related to medical terms and urgency, aligning with a lure. The primary malicious IOC is the 'ttraff.com' redirector URL, which likely serves as a gateway to a malicious payload or phishing page.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=retencion+placentaria+pdf
    • http://files.eelasor.com/uploads/1/3/2/6/132696506/zabupugowuze.pdf
    • http://files.daventrydogtrainingclub.com/uploads/1/3/0/8/130873973/6745225.pdf
    • http://files.bartowcountysaddleclub.org/uploads/1/3/1/4/131437474/tinasax.pdf
    • https://cdn.shopify.com/s/files/1/0433/4852/5206/files/ralivobarirovujogu.pdf
    • https://cdn.shopify.com/s/files/1/0434/9073/8328/files/mewiwuxaje.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/12584167006.pdf
    • https://cdn.shopify.com/s/files/1/0431/6587/6379/files/56553740258.pdf
    • https://cdn.shopify.com/s/files/1/0431/1128/4893/files/56426608063.pdf
    • https://cdn.shopify.com/s/files/1/0438/7084/7131/files/lajewu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0402/6280/files/xetotodolokivimin.pdf
    • https://cdn.shopify.com/s/files/1/0431/4978/7285/files/fagovazexononarojoser.pdf
    • https://cdn.shopify.com/s/files/1/0437/7729/4498/files/96876337100.pdf
    • https://cdn.shopify.com/s/files/1/0433/7421/5331/files/91817781665.pdf
    • https://cdn.shopify.com/s/files/1/0434/4581/3413/files/83500160870.pdf
    • https://cdn.shopify.com/s/files/1/0431/1102/2756/files/medegatoxajidut.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c3b.bin
7606c8578a9349c37c8bbe7a417c621bedc1979f478876739a9b7751016e54cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C3B 4764 bytes
font_01_sfnt_off00007c70.bin
c196ff156317773db245c26546b0bcec27ed9fad1c7767d82fdaedcbdaebd7c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C70 9976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.