Malicious PDF — malware analysis report

Static analysis result for SHA-256 e72bdec30eb81d2b…

MALICIOUS

PDF

49.0 KB Created: 2020-09-01 21:44:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ffce2e0ab7119c2864d2525d63fa03c SHA-1: 69d4c8ce4f5c6719610e2cb2e081338a78b8c022 SHA-256: e72bdec30eb81d2b0d59b62230195f6b7e67d3063c1471f2f212f5d6b15108b4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to external PDF files, indicating a link farm. One of the primary links, 'https://ttraff.com/wix?keyword=cystic+fibrosis+bone+mineralisation+guidelines', is identified as a malicious redirector. This suggests the document is designed to lure users to malicious infrastructure, likely for further exploitation or phishing. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=cystic+fibrosis+bone+mineralisation+guidelines
    • https://static.usrfiles.com/ugd/b48b60_7c0ecf8bc3cc4d1ca24795baef580183.pdf
    • https://static.usrfiles.com/ugd/3aca14_1182a93de98f4c799078c4054d3ee4cc.pdf
    • https://static.usrfiles.com/ugd/1cc7e8_b8a516b0ff9f496fb55726269c0aa684.pdf
    • https://static.usrfiles.com/ugd/3e9e83_52bba5ac2b584322a77043cff57adfe3.pdf
    • https://static.usrfiles.com/ugd/b8c837_40c5fd9c944a481ea9dd43ed29ba0cb3.pdf
    • https://cdn.shopify.com/s/files/1/0433/7516/5594/files/avengers_endgame_4k_blu_ray.pdf
    • https://cdn.shopify.com/s/files/1/0431/8943/6580/files/vatimedilesamudukef.pdf
    • https://cdn.shopify.com/s/files/1/0435/5561/8977/files/jailbreak_8._4_1.pdf
    • https://static.usrfiles.com/ugd/0ad6c7_157c906a7f274283923758aa26bb405a.pdf
    • https://static.usrfiles.com/ugd/b8c837_510266711ea44240aaaeddf1757f5147.pdf
    • https://static.usrfiles.com/ugd/b8c837_56c778c42d384d11aaec11678f32ac8f.pdf
    • https://static.usrfiles.com/ugd/b8c837_5115728ce64343c68e1683551c93fbcf.pdf
    • https://static.usrfiles.com/ugd/9e53d4_668c6ce72c9b4caca4bff58d6b26f4f2.pdf
    • https://static.usrfiles.com/ugd/41a0b6_0f90867c5c3b44f7bd5d1bbe86f36cee.pdf
    • https://static.usrfiles.com/ugd/5b5da7_5ff9093e87654639a7794f3123dd3d65.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008254.bin
26b1937f35426780c399dc8c6c5158ec68da76cb47a192ed2460b69084de6cf9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8254 5488 bytes
font_01_sfnt_off000094eb.bin
b5b95f9d1b9942b4bfceb92826ffa98f62471ba6a8f59bce4e3e96548e3e9cde		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94EB 9920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.