Malicious PDF — malware analysis report

Static analysis result for SHA-256 9339c04d4f88897c…

MALICIOUS

PDF

64.5 KB Created: 2020-08-17 10:05:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5889c69fa8d610781893a394a4a92e98 SHA-1: 63a3b11a143ade7f5a4a473e1261a406afd01360 SHA-256: 9339c04d4f88897ce1892e1ca3fbb8014cc5102cde289a5a060aa98a446fea28
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is likely used to obscure the final destination. The document body, though heavily obfuscated, contains the keyword 'bhc full form and structure' which matches the parameter in the malicious URL, suggesting a lure. The presence of a link farm and urgency language further supports a phishing or scam attempt. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bhc+full+form+and+structure
    • http://fenuradip.hollandelementary.net/uploads/1/3/1/4/131437823/kuxokovuvajeku.pdf
    • http://files.alboagency.com/uploads/1/3/1/3/131378923/c1e561197d.pdf
    • http://files.maimanstwo.com/uploads/1/3/1/3/131398419/leferifisuvowo-seboraputimu-jixobox.pdf
    • https://cdn.shopify.com/s/files/1/0435/8832/1437/files/39064242575.pdf
    • https://cdn.shopify.com/s/files/1/0437/2155/6117/files/divinity_original_sin_armor_crafting_guide.pdf
    • https://cdn.shopify.com/s/files/1/0434/0563/9836/files/24112779755.pdf
    • https://cdn.shopify.com/s/files/1/0437/2201/4871/files/24039440760.pdf
    • https://cdn.shopify.com/s/files/1/0447/4516/2903/files/88132771312.pdf
    • https://cdn.shopify.com/s/files/1/0432/8990/3259/files/pusimomiforik.pdf
    • https://cdn.shopify.com/s/files/1/0430/9365/5716/files/scp_command_linux.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b945.bin
4d73c7699e845e2da963c5bb71c21798febb2f7af591b62a7c2d940adc6fa32f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB945 5308 bytes
font_01_sfnt_off0000cb25.bin
7be7affc3d2f6658d1c4d32a93f3b1278abb49e3c53b0139eee58c936b6f1484		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB25 12432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.