Malicious PDF — malware analysis report

Static analysis result for SHA-256 c19d00eab71157e7…

MALICIOUS

PDF

46.3 KB Created: 2020-08-21 14:28:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 404ac01f0bb6540727f1fd00fa8e45a9 SHA-1: 5756d6756c613618ebcb09941f4e899a9b2fdc3d SHA-256: c19d00eab71157e7645f85f969e777bf0992b6dac68eaa96785cf56969caf239
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains multiple embedded links, with one identified as a malicious redirector pointing to 'ttraff.com'. The document body, though partially corrupted, contains text related to 'penalty for falsifying timesheets uk' and includes the malicious URL. This suggests a phishing or scam attempt, leveraging a lure to direct users to a potentially harmful site. The presence of numerous external PDF links also indicates a link farm, a common tactic for SEO manipulation or distributing malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=penalty+for+falsifying+timesheets+uk
    • http://files.juliewiegand.com/uploads/1/3/1/4/131453480/dd1b72145be5fa.pdf
    • http://wugew.bensonbunnies1971.com/uploads/1/3/0/7/130776445/fufimunub-nibifafesosov-vasux.pdf
    • http://files.maryharttextileart.com/uploads/1/3/0/7/130739117/1885315.pdf
    • http://files.saratogatemple.org/uploads/1/3/1/4/131438460/2644473.pdf
    • http://files.huckleberryherbs.com/uploads/1/3/0/7/130740596/wutumirerowitudid.pdf
    • https://cdn.shopify.com/s/files/1/0429/3754/8959/files/unity_car_games.pdf
    • https://cdn.shopify.com/s/files/1/0430/4257/0402/files/ejemplos_de_diagrama_bimanual.pdf
    • https://cdn.shopify.com/s/files/1/0440/6562/0118/files/abbey_college_performing_arts_facebook.pdf
    • https://cdn.shopify.com/s/files/1/0428/8688/9625/files/bixatev.pdf
    • https://cdn.shopify.com/s/files/1/0438/2641/3725/files/xofavelavuwuxofaxu.pdf
    • https://cdn.shopify.com/s/files/1/0429/4112/0679/files/java_concepts_7th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0435/8458/5883/files/95660888555.pdf
    • https://cdn.shopify.com/s/files/1/0430/3139/6501/files/30719520581.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000077c2.bin
7a8b1ae952e6e1857bb6f7f66ddd04dd16d96f3c47dc21d02de5a69a168ed200		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77C2 5348 bytes
font_01_sfnt_off000089d0.bin
4f4da21dcc1b10cf5fb051e1831c1e6aff5fc7a9c2e86e1a243dae5fab388e5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89D0 10020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.