Malicious PDF — malware analysis report

Static analysis result for SHA-256 a7cee0d850ccce2d…

MALICIOUS

PDF

42.2 KB Created: 2020-08-30 05:41:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61ac0b91ef4e11df8a8c61f4c1742683 SHA-1: 6a0b7ae3fc34d6252448dd770c2d47a602f8785d SHA-256: a7cee0d850ccce2d9e9ffd39c991a5edd4954c96af43e5418a387024dcfe04ab
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm designed to lure users with job-related keywords, directing them to a malicious redirector. The primary malicious URL identified is https://ttraff.com/wix?keyword=ultrasound+technician+pay+per+hour. The document body, though heavily obfuscated, contains this URL and other benign-looking PDF links hosted on Shopify and static.usrfiles.com, likely to mask the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=ultrasound+technician+pay+per+hour
    • https://cdn.shopify.com/s/files/1/0433/8611/0108/files/lufijirebopani.pdf
    • https://cdn.shopify.com/s/files/1/0434/1324/2014/files/research_paper_format_sample.pdf
    • https://cdn.shopify.com/s/files/1/0434/7595/9973/files/wizapixukuz.pdf
    • https://cdn.shopify.com/s/files/1/0440/5523/2677/files/august_month_current_affairs_vision_ias.pdf
    • https://static.usrfiles.com/ugd/5ad03d_c8e7249f5fab4654b02d8f0575926045.pdf
    • https://static.usrfiles.com/ugd/b8c837_a7c66bdfd47e45849508a83533fc6e57.pdf
    • https://static.usrfiles.com/ugd/599f1c_4220f43adba84e609acc1f0fe8b00a3b.pdf
    • https://static.usrfiles.com/ugd/b8c837_b06b5aaf1a4144489b5c9a0afeb24d87.pdf
    • https://cdn.shopify.com/s/files/1/0433/8463/5544/files/network_monitoring_and_troubleshooting_for_dummies_download.pdf
    • https://cdn.shopify.com/s/files/1/0427/7328/2983/files/51375508762.pdf
    • https://cdn.shopify.com/s/files/1/0437/2607/8106/files/konusijikis.pdf
    • https://cdn.shopify.com/s/files/1/0430/6829/3287/files/86745906140.pdf
    • https://static.usrfiles.com/ugd/5ed537_1948ae768e0a4498a18156dcf9ae3919.pdf
    • https://static.usrfiles.com/ugd/b8c837_946e224b9e224da3ba33e5d7e7495b8f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066d1.bin
7d5fa69a1ed4b858e1bb2c91686928e47dd8a658e4746441379ed48868e8cd5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66D1 5252 bytes
font_01_sfnt_off000078a6.bin
247031a6e6eb7898df50f73105581f91c9f365119a473bc2624bf96b0fa2fd52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78A6 10456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.