Malicious PDF — malware analysis report

Static analysis result for SHA-256 1da2630e9dda8ef2…

MALICIOUS

PDF

335.4 KB Created: 2020-08-23 05:23:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 85926be31ccd7016d88ed7ff48f6f950 SHA-1: 70f4433a4aa67faaefa8612bdfd1774900b87568 SHA-256: 1da2630e9dda8ef252189a5c4f23d0e73fbd94b296b9150f8bc77ff15cd79e61
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/pify?keyword=yummy+guide+league+of+legends', is designed to redirect users to malicious infrastructure. The document's content appears to be a lure, using a popular game title to entice clicks.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=yummy+guide+league+of+legends
    • http://files.davismadrigals.com/uploads/1/3/0/9/130969254/529779.pdf
    • http://molovor.embodimentcollective.co.nz/uploads/1/3/0/7/130775164/kepelisufafokewimo.pdf
    • http://nepogi.verybestfineart.com/uploads/1/3/1/8/131858661/tavadub.pdf
    • http://xafajol.isabelsherk.com/uploads/1/3/1/3/131379730/7126304.pdf
    • https://cdn.shopify.com/s/files/1/0432/5575/9011/files/vumowubi.pdf
    • https://cdn.shopify.com/s/files/1/0438/6953/6411/files/amino_acids_structure_and_properties.pdf
    • https://cdn.shopify.com/s/files/1/0428/8184/3353/files/sadadekexib.pdf
    • https://cdn.shopify.com/s/files/1/0435/1141/4943/files/14261199798.pdf
    • https://cdn.shopify.com/s/files/1/0433/4272/5275/files/vebipu.pdf
    • https://cdn.shopify.com/s/files/1/0434/5056/4773/files/carmilla_francais.pdf
    • https://cdn.shopify.com/s/files/1/0432/4930/3720/files/wubotisozox.pdf
    • https://cdn.shopify.com/s/files/1/0430/4296/3613/files/nugexanuliwimuxidejig.pdf
    • https://cdn.shopify.com/s/files/1/0436/2030/3011/files/58162337563.pdf
    • https://cdn.shopify.com/s/files/1/0430/6790/0061/files/25482665136.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004e5e2.bin
52cbd9d903f402ea5d19378ad9e06e8bd4659a9cfe5a2fcaaab8058de517e7d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E5E2 5196 bytes
font_01_sfnt_off0004f78a.bin
605751c90b5fdf4612da2ec74d28029a792aa5b22ad188f76d5a71c71fc8f03c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F78A 16716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.