Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfa2911bb744c01e…

MALICIOUS

PDF

42.5 KB Created: 2020-09-01 07:09:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49a3b7968f6791c28babe59fa95b197f SHA-1: adb3641fe48964a60e7340c15ffb7a5a93af55d8 SHA-256: cfa2911bb744c01eb78ac3595a5c2a171cab8c37984236dc6d83d95395a1800c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains text related to 'Palm beach florida police reports' and the malicious URL, suggesting a lure. The file also exhibits characteristics of a link farm, with numerous external PDF links, many hosted on Shopify, but the primary malicious indicator is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=palm+beach+florida+police+reports
    • https://static.usrfiles.com/ugd/804ff6_2093cdfcb5ef41e8a4e32a13849ab556.pdf
    • https://static.usrfiles.com/ugd/82e28d_bec9cc7b2a4b449eb281ee5aad045ae1.pdf
    • https://static.usrfiles.com/ugd/ba3095_c48c8f7747dd49e4aac3af2a8d429fbe.pdf
    • https://cdn.shopify.com/s/files/1/0434/1356/9690/files/xixuzikara.pdf
    • https://cdn.shopify.com/s/files/1/0431/3245/3015/files/vugogutavawuzaxamobe.pdf
    • https://cdn.shopify.com/s/files/1/0434/1465/1038/files/process_of_mummification_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0432/2010/7424/files/bose_bluetooth_speaker_user_guide.pdf
    • https://cdn.shopify.com/s/files/1/0435/1423/2984/files/53097478033.pdf
    • https://cdn.shopify.com/s/files/1/0433/2178/6521/files/24233541001.pdf
    • https://cdn.shopify.com/s/files/1/0461/9377/0654/files/xugifimozivafozojumimop.pdf
    • https://cdn.shopify.com/s/files/1/0429/9227/1519/files/dojepagobogupu.pdf
    • https://static.usrfiles.com/ugd/03ae60_c499f83f59424edc9eee4a71ee54067f.pdf
    • https://static.usrfiles.com/ugd/097bd5_b9aa7ee4351041fbb50ad434f6ab96c8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065db.bin
df852a8f01d52f7dd303a79b10ddd0d6da958d9c29305f9e139f85d20fc6a7af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65DB 5536 bytes
font_01_sfnt_off0000787d.bin
cbfa8d6f629e5820b063f8ff978128fd97284acd5178ce8dc410756a4c278f66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x787D 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.