Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2e480d492b38f6d…

MALICIOUS

PDF

42.0 KB Created: 2020-08-22 13:49:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d86084b0fe6df6ebe820aa1b5c70587c SHA-1: 0d4d3bb6508374a2f109a2de062ca4919b179799 SHA-256: c2e480d492b38f6dbb0a5b6845b05be547179e64479ff97dde5f10bf746a6eac
148 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, it exhibits a PDF link farm heuristic, with many links hosted on cdn.shopify.com, suggesting an attempt to distribute malicious content or SEO spam. The document body, though heavily obfuscated, contains the URL and mentions 'authorization letter template philippines', aligning with a phishing or social engineering lure. The presence of a callback lure heuristic further supports a social engineering attack pattern.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=authorization+letter+template+philippines
    • http://files.pacifictraininggroup.com/uploads/1/3/2/6/132682441/7d91c07658.pdf
    • http://moleto.noahzion.com/uploads/1/3/1/4/131438044/5897994.pdf
    • http://nowixam.aircraftmodelling.com/uploads/1/3/0/9/130969060/midiwazebagefup-lunifor-didowuxevosele.pdf
    • http://files.mynaturalclinic.com.au/uploads/1/3/0/7/130776150/tapirogujiral-zejolenofat.pdf
    • https://cdn.shopify.com/s/files/1/0431/8353/8331/files/wamekaferebadorobiwuz.pdf
    • https://cdn.shopify.com/s/files/1/0434/4433/8838/files/71920556837.pdf
    • https://cdn.shopify.com/s/files/1/0438/4112/6565/files/57372563391.pdf
    • https://cdn.shopify.com/s/files/1/0429/5085/2762/files/77858307559.pdf
    • https://cdn.shopify.com/s/files/1/0428/8380/9439/files/8917099578.pdf
    • https://cdn.shopify.com/s/files/1/0428/2161/5775/files/72058548475.pdf
    • https://cdn.shopify.com/s/files/1/0433/4387/2153/files/fundamental_trig_identities_worksheet_answers.pdf
    • https://cdn.shopify.com/s/files/1/0432/0896/6306/files/pusisojakinokomutimi.pdf
    • https://cdn.shopify.com/s/files/1/0460/3910/5700/files/barretos_2018_cd.pdf
    • https://cdn.shopify.com/s/files/1/0433/8240/7335/files/guretukopin.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tozonolemudafolafoxi.pdf
    • https://cdn.shopify.com/s/files/1/0436/4887/6702/files/bistro_romain_carte.pdf
    • https://cdn.shopify.com/s/files/1/0430/5698/8317/files/bioplastico_a_base_de_cascara_de_platano.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066c8.bin
83a37aefaf4c8d6601f97f2c826b06fcc180ced8db1f937051307502e7ef6430		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66C8 5100 bytes
font_01_sfnt_off000077f0.bin
3fec110d5f81d45a1467660871ef50d15928d11c5317ae86d6c6a9f71e3b071e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77F0 10280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.