Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ccee53cfe5f2561…

MALICIOUS

PDF

45.2 KB Created: 2020-08-10 19:33:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 692c3cc482fdb9eb6137faffc05a5202 SHA-1: a2271e173aa9e2c0a95abe80b298887f76b56210 SHA-256: 8ccee53cfe5f25615f4df9ae1f96cca23612a1f14619c9693e0482669ca331cc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link that redirects to a known malicious redirector, ttraff.com. This redirector is likely used to funnel victims to further malicious content. The document body, though heavily garbled, contains the URL and appears to be a lure related to medical references, specifically 'Atlas of electrocardiography k wang pdf'. The presence of numerous embedded links, many pointing to Shopify, suggests a link farm designed to improve search engine ranking for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=atlas+of+electrocardiography+k+wang+pdf
    • http://files.yogaaah.com/uploads/1/3/1/3/131379246/5371260.pdf
    • http://files.marosenbergartist.com/uploads/1/3/2/6/132695828/1275055.pdf
    • http://kuzununej.domaszeromskasmusic.com/uploads/1/3/1/1/131163635/5937526.pdf
    • https://cdn.shopify.com/s/files/1/0440/8573/9670/files/zuveb.pdf
    • https://cdn.shopify.com/s/files/1/0433/4059/5352/files/bigen.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rosetotirumeza.pdf
    • https://cdn.shopify.com/s/files/1/0433/0677/8777/files/5447763040.pdf
    • https://cdn.shopify.com/s/files/1/0431/3156/8290/files/31479194028.pdf
    • https://cdn.shopify.com/s/files/1/0437/6369/5770/files/88804616770.pdf
    • https://cdn.shopify.com/s/files/1/0435/7799/9519/files/lipibijefutalopisanejow.pdf
    • https://cdn.shopify.com/s/files/1/0431/9808/7328/files/gajugunojeri.pdf
    • https://cdn.shopify.com/s/files/1/0431/6761/3082/files/10686288994.pdf
    • https://cdn.shopify.com/s/files/1/0429/3728/6815/files/weselupepodizotuzinano.pdf
    • https://cdn.shopify.com/s/files/1/0434/4309/3660/files/double_entry_accounting_system.pdf
    • http://www.amazon.com/ECG-Self-Study-Book-K-Wang/dp/9350909960
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007111.bin
6aed5b533c5e31ed4e96cd1b73689d02f32e67b374942787caead9a09627107d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7111 5664 bytes
font_01_sfnt_off0000846b.bin
788ee9411b551dccf6a11a4dd7a46e31d2d5c15a6f3e23d92a92faaf6ac77e80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x846B 10516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.