Malicious PDF — malware analysis report

Static analysis result for SHA-256 49621c2f9898d331…

MALICIOUS

PDF

37.1 KB Created: 2020-09-08 13:43:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 725827c8d2d0c4690981c3e02bfa7b55 SHA-1: 5b311792088a0882deac838458c37fac2c7c68a0 SHA-256: 49621c2f9898d331f31bee816b246b3004eca06eb02909ccf5cc0a56ef372816
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.link/wix?keyword=adolescent+health+services+guidelines'. This indicates an attempt to redirect the user to a malicious site. The document body, though partially corrupted, contains text related to "Adolescent health services guidelines" and the malicious URL, suggesting a lure to entice clicks. The presence of a link farm heuristic further supports the malicious intent of distributing links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=adolescent+health+services+guidelines
    • https://static.usrfiles.com/ugd/3d0627_3b4456716e404478bdc8fb0549bab61a.pdf
    • https://static.usrfiles.com/ugd/f9d4cd_414ed01dc9ee4afe943a07408fded457.pdf
    • https://static.usrfiles.com/ugd/fdee49_2d3946aa1607495c972721b1de156beb.pdf
    • https://static.usrfiles.com/ugd/cdb50c_3b44852af9bb4147b7477713ef8442ec.pdf
    • https://cdn.shopify.com/s/files/1/0435/5073/6539/files/absolute_value_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0430/5495/6695/files/19126079994.pdf
    • https://cdn.shopify.com/s/files/1/0432/4740/3168/files/64644960038.pdf
    • https://cdn.shopify.com/s/files/1/0431/1308/7142/files/cisco_anyconnect_client_windows_10_free.pdf
    • https://cdn.shopify.com/s/files/1/0464/6640/0414/files/66271608804.pdf
    • https://cdn.shopify.com/s/files/1/0432/6231/2616/files/20512391367.pdf
    • https://cdn.shopify.com/s/files/1/0438/2310/4160/files/ruwisoj.pdf
    • https://cdn.shopify.com/s/files/1/0433/0392/7973/files/8699605213.pdf
    • https://cdn.shopify.com/s/files/1/0438/9273/6155/files/blackjack_online_game_free_no.pdf
    • https://cdn.shopify.com/s/files/1/0431/5670/1346/files/best_performing_allocated_pension_funds.pdf
    • https://cdn.shopify.com/s/files/1/0434/3509/8264/files/dubeluvusupowuki.pdf
    • https://cdn.shopify.com/s/files/1/0429/2483/4975/files/53785044765.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052ad.bin
b7d839c9f59221c3261f0207dc28dd3c988ecb37b61f51281e7f4a0c04678083		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52AD 5248 bytes
font_01_sfnt_off00006488.bin
367ef058737cbf2ebc12e75d5a301a55326c6274fd7c44c3cf807d2bb45e169c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6488 10304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.