Malicious PDF — malware analysis report

Static analysis result for SHA-256 37d5dbc87d2f17d7…

MALICIOUS

PDF

89.7 KB Created: 2020-09-07 11:38:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 79b24d17a8ac205e9cfbaed359926ab5 SHA-1: 554b711099414912536eb91bf0bba69b5c1483ee SHA-256: 37d5dbc87d2f17d72bec043167cf9f806a7895d415f5528d53a08fff75a58198
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=nccn+lung+cancer+screening+guidelines'. The document body, though heavily obfuscated, also contains this URL. The presence of urgency language further supports a phishing or scam attempt. No scripts were extracted, limiting the analysis of the payload.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=nccn+lung+cancer+screening+guidelines
    • https://static.usrfiles.com/ugd/6924eb_7ad8ee74abb9490c8b45a63640010b5a.pdf
    • https://static.usrfiles.com/ugd/43d598_fa08e076c6a14de594b8b6b784675dd2.pdf
    • https://static.usrfiles.com/ugd/6812d7_ca2c2ec4062d4566bb7e3531e05ddec7.pdf
    • https://cdn.shopify.com/s/files/1/0434/7510/7992/files/rolando_arellano_marketing.pdf
    • https://cdn.shopify.com/s/files/1/0430/9336/0801/files/98505783658.pdf
    • https://cdn.shopify.com/s/files/1/0463/2576/0155/files/network_monitoring_for_dummies.pdf
    • https://cdn.shopify.com/s/files/1/0432/1227/5870/files/rulekedapiwedizoxikuv.pdf
    • https://static.usrfiles.com/ugd/bf07b1_4214e7cc42d64add970eac84523f5601.pdf
    • https://static.usrfiles.com/ugd/ee6100_f5510ca039f14c58a17f3b65b2a4826b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000120db.bin
e311391598910474b3de30ee64392f9047bb7ee781492053c16e8b14aa73438a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120DB 5076 bytes
font_01_sfnt_off0001322f.bin
6985a40e80f9ce2113de198d787e3e2cf9f92b4cc3b108515e3dc1691d6194c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1322F 12608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.