Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e2eead59ee31778…

MALICIOUS

PDF

283.2 KB Created: 2020-09-02 19:46:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 55ec10cbf1ff41d48191c16991e34b19 SHA-1: 5bf3b8b013f44c9550c721a1e3e6a3673e88b36d SHA-256: 8e2eead59ee31778e4b5682176f3044438c88f56e3b32536a5c70192eede9b39
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, disguised as a medical guideline. The embedded URL, https://ttraff.club/wix?keyword=esc+guideline+diabetes+2019, is the primary indicator of malicious intent. This suggests a phishing or social engineering attack aimed at redirecting users to a harmful site.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=esc+guideline+diabetes+2019
    • https://static.usrfiles.com/ugd/ac72e0_72d64b2c85fb42ea9a928108203a1ee8.pdf
    • https://static.usrfiles.com/ugd/a4c1fa_c22d68e19ce64c5b8def67104f003b38.pdf
    • https://static.usrfiles.com/ugd/b80405_31f01761079147ae9f266ecc2add0bbc.pdf
    • https://static.usrfiles.com/ugd/12f4eb_6869071f5a1b448baa53421d3afb8f0b.pdf
    • https://cdn.shopify.com/s/files/1/0440/8265/9493/files/13088748728.pdf
    • https://cdn.shopify.com/s/files/1/0431/2052/5476/files/mibavobuviwuvufav.pdf
    • https://cdn.shopify.com/s/files/1/0466/7709/8661/files/simple_house_rent_agreement_format_in_word.pdf
    • https://cdn.shopify.com/s/files/1/0428/6241/1942/files/70247902572.pdf
    • https://cdn.shopify.com/s/files/1/0434/9424/4516/files/sibazat.pdf
    • https://cdn.shopify.com/s/files/1/0457/7371/7670/files/guided_busway_st_ives_map.pdf
    • https://cdn.shopify.com/s/files/1/0460/9032/2084/files/cutting_shapes_don_diablo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/waxigulazatep.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/69440205977.pdf
    • https://cdn.shopify.com/s/files/1/0431/0676/2905/files/rubrica_para_evaluar_proyecto.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003fcf9.bin
cfccff6014771b1043d1b1c03ba2967e91db9d9158f028728458db2cff06e3ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3FCF9 5588 bytes
font_01_sfnt_off0004100f.bin
194f33da41a5dc355751c1d023190a3a49520cda4cf48936f252d6e8c38acd9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4100F 17500 bytes
font_02_sfnt_off000446c1.bin
ebaa9d42c58e3fd25c8264bcf4ef2319fee467c92cf53dcc1f377a20fc8d39b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x446C1 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.