Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9de350eb30578c4…

MALICIOUS

PDF

44.3 KB Created: 2020-08-31 19:07:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9444f77098f1226aed371a04710aee06 SHA-1: e5d64789a3bf31e90651d86baf8aed03ef853ad7 SHA-256: e9de350eb30578c4e8b7f32bd326dfd7df7020a5d76f56a630990645aa0a837e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/wix?keyword=svs+guidelines+carotid+stenosis'. This link is presented within the document body, suggesting a social engineering lure. The file also contains a large number of embedded links, many of which point to Shopify domains, indicating a potential link farm or distribution mechanism. No scripts were extracted, and the document body is heavily obfuscated, but the presence of the malicious redirector is a strong indicator of malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=svs+guidelines+carotid+stenosis
    • https://cdn.shopify.com/s/files/1/0431/4556/0219/files/falodegod.pdf
    • https://cdn.shopify.com/s/files/1/0441/1555/8552/files/spider_man_ps4_size.pdf
    • https://cdn.shopify.com/s/files/1/0435/4598/5192/files/kafodukibosowekudu.pdf
    • https://cdn.shopify.com/s/files/1/0429/5429/3402/files/ember_bore_setup.pdf
    • https://cdn.shopify.com/s/files/1/0437/7555/7793/files/megamorotanufu.pdf
    • https://static.usrfiles.com/ugd/23e9be_48e90d5afd99475d969b2c327e02adf8.pdf
    • https://static.usrfiles.com/ugd/b8c837_eb7597026f9b4837ac99584f58d023c1.pdf
    • https://static.usrfiles.com/ugd/9757e7_951b333ce0224a848947a026f39f9018.pdf
    • https://static.usrfiles.com/ugd/5d2cf3_0be10a1193764e4d831cb9435f82ad80.pdf
    • https://static.usrfiles.com/ugd/a43ec6_5bcd3121f9d54267a1e34af714733e44.pdf
    • https://static.usrfiles.com/ugd/9219f8_c3e944747dac46258bd47808f1fe2242.pdf
    • https://static.usrfiles.com/ugd/15ebe2_8fbfeeea6f5d43d2bf2bd0bc9743f0c1.pdf
    • https://medlineplus.gov/carotidarterydisease.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ec8.bin
cfb65d81f89f4b5ec57b58e970fc0750bd79a31c76e4f799408ac92a991040f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EC8 5272 bytes
font_01_sfnt_off000080c4.bin
1c070adfc59737658b5d00f8fe5385204e5c5ca9122334991be61e30cab71ca4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80C4 10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.