Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec515dc95c92050e…

MALICIOUS

PDF

277.3 KB Created: 2020-09-01 04:01:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b5ab7f9e3894a8e72b3086fd09cb67c SHA-1: 48a343abbfce23141f7a674275182008461b9cef SHA-256: ec515dc95c92050e1503fcf02daa09fea05ebe8a75c04dbd657e725d0e785be8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link

The PDF file contains a malicious redirector link that points to 'ttraff.cc'. This link is presented within the document body, disguised as a report title. The primary purpose appears to be directing the user to a malicious external resource. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=amcor+limited+annual+report+2016
    • https://cdn.shopify.com/s/files/1/0432/0778/6654/files/xadefafigiloleni.pdf
    • https://cdn.shopify.com/s/files/1/0432/2213/9043/files/enteral_feeding_guidelines_australia.pdf
    • https://cdn.shopify.com/s/files/1/0436/1430/6467/files/narrative_report_sample_for_ojt_in_restaurant.pdf
    • https://cdn.shopify.com/s/files/1/0429/8850/3203/files/85071558651.pdf
    • https://cdn.shopify.com/s/files/1/0433/0065/1158/files/fluke_179_multimeter_user_manual.pdf
    • https://static.usrfiles.com/ugd/26481d_2f458214ee4049ff8057e83af1ae3849.pdf
    • https://static.usrfiles.com/ugd/299074_b045fa2b72a542d08319757cb8678513.pdf
    • https://static.usrfiles.com/ugd/538d67_b749bd9a9de043d793b1a20b67d803be.pdf
    • https://static.usrfiles.com/ugd/b8c837_92acc624d2f3472e8150f51cdc7d6fa7.pdf
    • https://static.usrfiles.com/ugd/d7ba0f_91fac63f50304beb82b3512bc88e40a0.pdf
    • https://static.usrfiles.com/ugd/739437_d2bbfbb9f165403b9f79a9cbaec71791.pdf
    • https://static.usrfiles.com/ugd/b8c837_65ba4661c4114ae5b19122fcf15efaec.pdf
    • https://static.usrfiles.com/ugd/8127dd_e18efbac80714de59bd1e4d530935088.pdf
    • https://static.usrfiles.com/ugd/a18aa6_4e8f1a9335e343dc90751546f3a4a9e3.pdf
    • https://static.usrfiles.com/ugd/fb83f1_243cadb61f54434a855b5a4cc9614d0a.pdf
    • https://static.usrfiles.com/ugd/b8c837_685c5de96c4c4fb7b9e312da8da0a627.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003f4ed.bin
625bc11956eb0b21389941d4bbd17ade1a1d8c1553590f79862489d10fe14dc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3F4ED 5392 bytes
font_01_sfnt_off0004071f.bin
7c11ef5a6873f3eb31bf713c7fd7d2349ffa57d2485a8beb61ba72f338c70553		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4071F 15992 bytes
font_02_sfnt_off00043821.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43821 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.