Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca5b0e07c9dde521…

MALICIOUS

PDF

157.0 KB Created: 2020-08-06 11:01:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4740a033c0c071394409bb44c23d5606 SHA-1: c6df092c8a3808bdce52c486aa1125099e830efd SHA-256: ca5b0e07c9dde5218791b14d761a482dfef275c00cdae4130e31dbb6d9b6c50d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, 'https://ttraff.com/pify?keyword=hypertension+treatment+guidelines+2020+pdf', is the primary indicator of malicious intent. This suggests the document is designed to lure users to a compromised site, likely for further exploitation or credential harvesting.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=hypertension+treatment+guidelines+2020+pdf
    • http://files.travelbutlerllc.com/uploads/1/3/1/4/131438718/f6cbbf07.pdf
    • http://files.tuffbuiltproducts.com/uploads/1/3/0/8/130813531/1f6de02493.pdf
    • http://files.divinemermaid.com/uploads/1/3/0/8/130814397/1597936.pdf
    • http://guwonor.calmundertension.com/uploads/1/3/1/6/131607712/2696065.pdf
    • https://cdn.shopify.com/s/files/1/0434/1818/9980/files/kavotevefim.pdf
    • https://cdn.shopify.com/s/files/1/0433/5009/8085/files/16976717260.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/34007074416.pdf
    • https://cdn.shopify.com/s/files/1/0431/0948/2658/files/90743403661.pdf
    • https://cdn.shopify.com/s/files/1/0440/4733/5574/files/manual_for_ear_training_and_sight_singing.pdf
    • https://cdn.shopify.com/s/files/1/0437/0785/9096/files/2013_ford_f_150_maintenance_schedule.pdf
    • https://cdn.shopify.com/s/files/1/0430/7176/6677/files/zawafizove.pdf
    • https://cdn.shopify.com/s/files/1/0432/2027/1264/files/38648548926.pdf
    • https://cdn.shopify.com/s/files/1/0438/6557/1493/files/ribamixegu.pdf
    • https://cdn.shopify.com/s/files/1/0429/8558/6849/files/62216585207.pdf
    • https://cdn.shopify.com/s/files/1/0434/1681/3735/files/netgear_cg3000dv2_manual.pdf
    • https://cdn.shopify.com/s/files/1/0428/5480/9756/files/59184871905.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00020db5.bin
e8a9d415a9b21454cc574b048d32d3aaf70ac1222976d15b6e8a2f69a20de542		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x20DB5 11392 bytes
font_00_sfnt_off0001fa63.bin
bfb84904c02cc6c6136f897b5813deb77012dd339ffaa0b5621f8a4e3fd95d73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FA63 5700 bytes
font_02_sfnt_off00022dcd.bin
d163ea551a232573b62cb91fe8de7d4a45a54cc575a46bb6ff6261eb634cd9e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22DCD 17104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.