Malicious PDF — malware analysis report

Static analysis result for SHA-256 f96a5f913a3ce1fd…

MALICIOUS

PDF

50.3 KB Created: 2020-09-01 20:33:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 87d2cc36dd3d59c550f86756461c83ee SHA-1: 2e3fc0feaca8f203d103019c48f8f276fb707531 SHA-256: f96a5f913a3ce1fd6d55bb5d6762c2270d2ccf9d7af4464729ee64694943ba74
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which points to 'ttraff.me'. The document body, though heavily obfuscated, contains text related to 'CMS infusion billing guidelines 2018', suggesting a lure. The PDF also contains a large number of embedded links, many pointing to shopify.com, likely part of a link farm to improve SEO for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=cms+infusion+billing+guidelines+2018
    • https://cdn.shopify.com/s/files/1/0431/8956/7650/files/64706451131.pdf
    • https://cdn.shopify.com/s/files/1/0431/2308/1378/files/80566535277.pdf
    • https://cdn.shopify.com/s/files/1/0437/5393/0901/files/javafx_web_view.pdf
    • https://static.usrfiles.com/ugd/73c254_07c020a86184489c9ee54873e9738c1b.pdf
    • https://static.usrfiles.com/ugd/bb13a2_9bc30d4660114b1da26953e34feaaf97.pdf
    • https://static.usrfiles.com/ugd/b8c837_2150710cad63447397fcdc2851c8d33f.pdf
    • https://static.usrfiles.com/ugd/d2751c_f2dd3b1d5fe745148f6c466631a1fa46.pdf
    • https://static.usrfiles.com/ugd/e3325f_c65eb8f3a5994d6f9f1acbb022722905.pdf
    • https://cdn.shopify.com/s/files/1/0443/8307/6518/files/sirotebetanu.pdf
    • https://cdn.shopify.com/s/files/1/0428/3134/7868/files/nolajoduwusikup.pdf
    • https://cdn.shopify.com/s/files/1/0437/1267/5990/files/sudosurevutazugixojabu.pdf
    • https://cdn.shopify.com/s/files/1/0434/0813/0213/files/grade_4_comprehension_worksheets_free_printable.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000851e.bin
902ee23b7c8e7d60cac1cf48002d991d594bfc2109bc373331361754db4c68b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x851E 5488 bytes
font_01_sfnt_off000097bc.bin
39d745f30d3712cb13df72f6df2e3c0c3bdadc012b04242e3618757bc29a07b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97BC 10748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.