Malicious PDF — malware analysis report

Static analysis result for SHA-256 2198370a70c1e00a…

MALICIOUS

PDF

44.8 KB Created: 2020-08-14 20:53:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5c61ef5e9c92aac7f60c5b1fa07ac19b SHA-1: f675f5e79ae8074fdab582728400c3894935b364 SHA-256: 2198370a70c1e00ac205a0db8e50f21a4af58cb8b42271e89523a46c0b334a50
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.cc', which is also present in the document body. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs hosted on shopify.com and one suspicious link to 'fidete.bethelwc.net'. The document body, though partially corrupted, contains the phrase 'prolactinoma in pregnancy guidelines' and the malicious URL, suggesting a lure to a malicious site.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=prolactinoma+in+pregnancy+guidelines
    • http://fidete.bethelwc.net/uploads/1/3/1/0/131070374/9899783.pdf
    • https://cdn.shopify.com/s/files/1/0440/5064/5157/files/40208267528.pdf
    • https://cdn.shopify.com/s/files/1/0428/4389/8019/files/vusagikonalujevevo.pdf
    • https://cdn.shopify.com/s/files/1/0433/1975/4907/files/59692205016.pdf
    • https://cdn.shopify.com/s/files/1/0429/6019/1641/files/2312077498.pdf
    • https://cdn.shopify.com/s/files/1/0438/9984/6824/files/33262135083.pdf
    • https://cdn.shopify.com/s/files/1/0434/4781/2248/files/5225653312.pdf
    • https://cdn.shopify.com/s/files/1/0431/7433/0517/files/basuzerepubixifowe.pdf
    • https://cdn.shopify.com/s/files/1/0433/9944/6693/files/dewalonofavezozo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/84113106953.pdf
    • https://cdn.shopify.com/s/files/1/0431/0899/1140/files/53818607004.pdf
    • https://cdn.shopify.com/s/files/1/0428/9495/0556/files/kudomep.pdf
    • https://cdn.shopify.com/s/files/1/0427/4647/8759/files/37817655993.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007188.bin
ca3621676c1711ec6793a93b90b8360629aa2ba53bedd67cf6637905b841ee08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7188 5496 bytes
font_01_sfnt_off00008420.bin
44105e812f45eff024f4eb385285e8fc6cfb8f61ccfc20830fc41fae2e95536a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8420 10108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.