Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2fc9810f18b66d2…

MALICIOUS

PDF

38.2 KB Created: 2020-09-01 15:38:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 56600be61dc03f39a6fec0f3f111b54e SHA-1: 6f31d544f0013d2f1f1b51805673e0799015db34 SHA-256: c2fc9810f18b66d25ed455746913027f22332069cec1615ad88a7c3b915e6c9c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=virginia+cacfp+annual+cacfp+enrollment+form%2528+child%2529'. This heuristic, combined with the presence of a large number of external PDF links, suggests an attempt to lure users to malicious infrastructure. The document also contains a phone number lure, consistent with callback phishing or tech-support scams.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=virginia+cacfp+annual+cacfp+enrollment+form%2528+child%2529
    • https://static.usrfiles.com/ugd/9e53d4_6ff229e074734cc3b71336aac00f7567.pdf
    • https://static.usrfiles.com/ugd/ea78e0_87cd4b83274a47a2a1ed66b486830569.pdf
    • https://static.usrfiles.com/ugd/d216cb_3957d8f6e1024c4faec242b8e3363854.pdf
    • https://static.usrfiles.com/ugd/b8c837_fbc3e5146f5d47b9bd1c8682daaed1fc.pdf
    • https://static.usrfiles.com/ugd/4c76bf_903b8a99bf124ac785ae5e7ab3b054fb.pdf
    • https://cdn.shopify.com/s/files/1/0439/1147/9464/files/tirosovomavipu.pdf
    • https://cdn.shopify.com/s/files/1/0427/4218/6150/files/30182608595.pdf
    • https://static.usrfiles.com/ugd/b8c837_4435acaf8f07454098913d9b1539bec5.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_d33fd974088b4b0fa6c01da5962c9f6b.pdf
    • https://static.usrfiles.com/ugd/69b86f_7c5a37cdb9db40bdb16f7d094110c29f.pdf
    • https://static.usrfiles.com/ugd/b8c837_6e47c7c7d1a6442d8ebdcdc9369fa4d1.pdf
    • https://static.usrfiles.com/ugd/10a4aa_77987db5ca5c4b158a81990f460435b1.pdf
    • https://static.usrfiles.com/ugd/685707_dc98ce208c79459a992dc529a63bb2ff.pdf
    • https://static.usrfiles.com/ugd/d5415a_f0ccf51f966d4cf486e7c2b7e6f8a25c.pdf
    • https://static.usrfiles.com/ugd/b8c837_c91a8d6cd1764ee89fb98ba89efd4be0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005675.bin
7db96be18ed55c4c9f798701f8fade7d2c6f361f4d78f3eb40cd48ad8cc182b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5675 5512 bytes
font_01_sfnt_off00006924.bin
b883c9f0730d41a7af2d08eec2c9294c4359f8dbf8eae5aa82631ab313f1f8c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6924 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.