Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d8dd6f34c41824c…

MALICIOUS

PDF

279.1 KB Created: 2020-07-30 23:35:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62da79d1880d1d2e900783e5b44e9552 SHA-1: b4511b987dce65e711fce5dd987088c897ab9494 SHA-256: 1d8dd6f34c41824c8bee9c083abfbc9b90fe62544501637796a30f5ec4f8dd5e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link to 'ttraff.com'. This URL is likely used to lure users to a malicious site. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=compendio+del+catechismo+della+chiesa+cattolica+pdf
    • http://files.shilohchristianband.com/uploads/1/3/1/4/131406149/52464ecb5072888.pdf
    • http://files.traumarecoverybc.com/uploads/1/3/0/8/130874250/dae0ca5c657.pdf
    • http://files.takeyourchancetravel.com/uploads/1/3/2/6/132682640/61b85977d6b459c.pdf
    • https://cdn.shopify.com/s/files/1/0431/2875/0241/files/pilixubeweregasulevi.pdf
    • https://cdn.shopify.com/s/files/1/0432/6513/0658/files/88120603290.pdf
    • https://cdn.shopify.com/s/files/1/0435/2131/0880/files/84690933603.pdf
    • https://cdn.shopify.com/s/files/1/0429/8804/4442/files/naleg.pdf
    • https://cdn.shopify.com/s/files/1/0431/9199/2480/files/deviseworeboje.pdf
    • https://cdn.shopify.com/s/files/1/0427/9622/0572/files/14334189682.pdf
    • https://cdn.shopify.com/s/files/1/0431/6869/4423/files/14828669340.pdf
    • https://cdn.shopify.com/s/files/1/0432/1335/7211/files/joxok.pdf
    • https://cdn.shopify.com/s/files/1/0434/0298/5621/files/legaxujutuzotenuxutul.pdf
    • https://cdn.shopify.com/s/files/1/0437/7496/7965/files/widajaximul.pdf
    • https://cdn.shopify.com/s/files/1/0440/7099/4085/files/mebowagipif.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004141d.bin
5da87e23ec7fe29b89598a65a52230da91843ffdc370783ce1c60b143f31627e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4141D 5108 bytes
font_01_sfnt_off00042549.bin
69e0ce95fb6758b5d9fe2f127a592365dffeb042e2d63ac5f92c05c8fabd2e7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x42549 12180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.