Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfde2ca16c8a2341…

MALICIOUS

PDF

42.8 KB Created: 2020-08-31 10:47:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6fd3dde17f2570efec7b261b5880de96 SHA-1: 35720bd806be042cecdf48958be297204008e4d2 SHA-256: bfde2ca16c8a23413e1a1e5e99c632b6c895394928151c3c671387ed5dabb368
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=clinical+examination+talley+pdf'. This URL is likely used to redirect the user to a malicious site. The document body, though heavily obfuscated, contains references to the redirector URL and other benign-looking PDF links, suggesting a lure to a malicious resource.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=clinical+examination+talley+pdf
    • https://static.usrfiles.com/ugd/1c8c6c_f359171bbcf6499b900ecb67dfe0a65a.pdf
    • https://static.usrfiles.com/ugd/e3834b_f495842898a04e829afabd3aae34ed3c.pdf
    • https://static.usrfiles.com/ugd/ac72e0_d1f6b676c5ba4dba979aeafa733fcef0.pdf
    • https://static.usrfiles.com/ugd/05900a_bbd968409ffc439d95e1f2038a84d00f.pdf
    • https://static.usrfiles.com/ugd/353d00_3f81272ae4a547ada6f80d8b4e7e8d17.pdf
    • https://cdn.shopify.com/s/files/1/0432/6031/3763/files/80582622212.pdf
    • https://cdn.shopify.com/s/files/1/0430/6573/7370/files/34448804418.pdf
    • https://cdn.shopify.com/s/files/1/0434/4473/2065/files/71199689203.pdf
    • https://cdn.shopify.com/s/files/1/0437/5596/2522/files/majazanobotosutobogibi.pdf
    • https://cdn.shopify.com/s/files/1/0430/3188/8035/files/ccna_security_topics.pdf
    • https://cdn.shopify.com/s/files/1/0434/4204/5090/files/16540945666.pdf
    • https://cdn.shopify.com/s/files/1/0434/2457/9736/files/purusadaguxebe.pdf
    • https://cdn.shopify.com/s/files/1/0449/3272/6952/files/44689265268.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000494f.bin
787c46253c82d7f5112e76f45488c3b16326618c970e3cc9ba73a3060acc9d18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x494F 5104 bytes
font_01_sfnt_off00005aa0.bin
be1ab777086d0c47af9a07665242c578f61beb3df59af263afb399552c5123e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AA0 9580 bytes
font_02_sfnt_off00007ba0.bin
2e8b4be0a3481a8087ca52ccdb3827111a4cc7df730a1b2dbaf01bed5b540fed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BA0 20848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.