Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd192f64de0ceb47…

MALICIOUS

PDF

57.9 KB Created: 2020-09-11 15:59:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 886ca75adafdd8918dff75f6b4ab76e7 SHA-1: fd2600c3f51db323bdfc95e6ea809b33ce38689d SHA-256: bd192f64de0ceb471222b1a17c40ce0c638cf90292d2b41f579e1e1654928c8f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The embedded URL 'https://ttraff.me/wix?keyword=bacilos+gram+positivos+que+forman+esporas' is the primary IOC. The document body, though heavily obfuscated, also contains this URL, reinforcing its malicious intent. The file also exhibits characteristics of a PDF link farm, with numerous external links, suggesting a broader campaign of distributing malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=bacilos+gram+positivos+que+forman+esporas
    • https://cdn.shopify.com/s/files/1/0463/5118/8125/files/29928773464.pdf
    • https://cdn.shopify.com/s/files/1/0433/6631/8230/files/29983748066.pdf
    • https://cdn.shopify.com/s/files/1/0431/0378/1015/files/ripijoriniwasabenenobog.pdf
    • https://cdn.shopify.com/s/files/1/0434/4394/5622/files/57343424633.pdf
    • https://static.usrfiles.com/ugd/e3c460_b371327a31374adea794248933fe338e.pdf
    • https://static.usrfiles.com/ugd/fd7405_500fac2d1e5c425b875d6869a2dc167e.pdf
    • https://static.usrfiles.com/ugd/d954c5_1a6623cc19594bd5ba8ad3d2a6cb1844.pdf
    • https://static.usrfiles.com/ugd/f59309_96d567abafdb43d9a5719576d196e523.pdf
    • https://static.usrfiles.com/ugd/2f7815_26a265c89f024d20b8a5ba3d6c111fec.pdf
    • https://static.usrfiles.com/ugd/704566_c44b8ac448aa4049bfd597a83cc775e4.pdf
    • https://cdn.shopify.com/s/files/1/0430/4879/6309/files/81501935696.pdf
    • https://cdn.shopify.com/s/files/1/0435/2249/0532/files/victoria_secret_job_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0428/7227/5103/files/vigipuben.pdf
    • https://cdn.shopify.com/s/files/1/0431/6109/2255/files/calculus_best_books.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009377.bin
545f4da4a1ba0452822d8c494c9f6d85589d06648eba2e3b6be00247db4931dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9377 5568 bytes
font_01_sfnt_off0000a65e.bin
52accf164d74def0150a19b2856fa2a0805e53e7700db9e157937934b11c5cd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA65E 16656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.