Malicious PDF — malware analysis report

Static analysis result for SHA-256 99b9b2743c56adf7…

MALICIOUS

PDF

34.2 KB Created: 2020-08-30 03:02:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b3eb1823548830a9e1a75ec12e050bd SHA-1: 23f914fe7fd1c44c4fb53f1fe5027a33ef7380b2 SHA-256: 99b9b2743c56adf70fc04c540ac5eef6d0775bc82ea063a4b247f6a482af7dc8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, disguised as a textbook. The document also features a large number of links to other PDFs hosted on Shopify and static.usrfiles.com, suggesting a link farm or SEO poisoning tactic to increase visibility. The primary malicious intent appears to be directing users to the ttraff.com URL, which likely serves as a gateway to further malicious activity.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=the+phlebotomy+textbook+3rd+edition
    • https://cdn.shopify.com/s/files/1/0427/8750/4294/files/zaxuxabunifije.pdf
    • https://cdn.shopify.com/s/files/1/0432/5025/3992/files/7716054187.pdf
    • https://cdn.shopify.com/s/files/1/0437/7621/3141/files/xikodulefazex.pdf
    • https://cdn.shopify.com/s/files/1/0431/4651/0504/files/bagigukinatujopixizikosa.pdf
    • https://cdn.shopify.com/s/files/1/0432/7096/3350/files/98602041122.pdf
    • https://static.usrfiles.com/ugd/b8c837_43cfc2a5113842e4b04da51788aeff86.pdf
    • https://static.usrfiles.com/ugd/09273f_32ed53d782034df296309829cd7d5d91.pdf
    • https://static.usrfiles.com/ugd/b8c837_aacdb2b4e93540f9b50dc859f16f846e.pdf
    • https://static.usrfiles.com/ugd/e42ee3_cda2c9113a5345409a908ea3ccc09c0c.pdf
    • https://static.usrfiles.com/ugd/b8c837_60ba390690174b53b9191859c809e2a3.pdf
    • https://static.usrfiles.com/ugd/a44510_77c577d119e046ff95189a7aa648859c.pdf
    • https://static.usrfiles.com/ugd/f0f215_d6ee4297519f4e78bd663ee8b4d5c887.pdf
    • https://static.usrfiles.com/ugd/b8c837_83a6177815bb45f1bf535570ea7ac4f8.pdf
    • https://static.usrfiles.com/ugd/34ec99_64a8f8b3779043a78cb22aa05621af1a.pdf
    • https://static.usrfiles.com/ugd/4d400c_6544be7183c344fba6defe7b73291ab9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048c5.bin
a0d7769d489dc6a634a1147cc514090419aa8b40bb760ba30f9333fea7941e66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48C5 5296 bytes
font_01_sfnt_off00005aa9.bin
ccb6c2b930197ee90540be13321187bcb293ec5be5bde8810513e20edb7b61c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AA9 9908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.