Malicious PDF — malware analysis report

Static analysis result for SHA-256 21646b80dd23a8c7…

MALICIOUS

PDF

178.0 KB Created: 2020-08-08 11:24:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6bdc80a58c93d31cf61260a30b6ec737 SHA-1: d1d4b82ef670ff87f04960e63b10b49e89b348ee SHA-256: 21646b80dd23a8c79a9f8bc5b24ee7cd1b595602101ac7a84964c32f80708038
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, appears to contain the same URL, suggesting a lure to a malicious site. This indicates an attempt to redirect the user to a phishing or malware distribution page, disguised as a document about baby names.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=islamic+baby+names+with+meaning+in+tamil+pdf
    • http://files.ceceliacornelissens.com/uploads/1/3/1/6/131636965/6394595.pdf
    • http://files.bluesteeltm.com/uploads/1/3/2/7/132712006/bebogakagi-majemakosoje-nubivel.pdf
    • http://files.wl-architecturalmodels.co.uk/uploads/1/3/0/7/130738676/07563d3c23c.pdf
    • http://files.bodycompletefitness.com/uploads/1/3/1/6/131637385/4507462.pdf
    • http://files.flowingriversinternationalchurch.com/uploads/1/3/1/8/131856191/xabukodoxe.pdf
    • https://cdn.shopify.com/s/files/1/0431/1059/6765/files/79224651926.pdf
    • https://cdn.shopify.com/s/files/1/0445/4265/6671/files/aging_oxidative_stress_and_dietary_antioxidants.pdf
    • https://cdn.shopify.com/s/files/1/0433/5425/9610/files/c_dynamic_type.pdf
    • https://cdn.shopify.com/s/files/1/0432/3350/9535/files/bifosemidobexiwotababi.pdf
    • https://cdn.shopify.com/s/files/1/0439/4831/0683/files/download_doa_yasin.pdf
    • https://cdn.shopify.com/s/files/1/0431/6954/6395/files/gatowifezataf.pdf
    • https://cdn.shopify.com/s/files/1/0434/4119/3110/files/10488174828.pdf
    • https://cdn.shopify.com/s/files/1/0433/2398/1979/files/ximugopovetilurusaw.pdf
    • https://cdn.shopify.com/s/files/1/0440/8141/4296/files/ps_plus_4life_space.pdf
    • https://cdn.shopify.com/s/files/1/0431/5450/5882/files/89523482805.pdf
    • https://cdn.shopify.com/s/files/1/0431/5381/7749/files/87357255346.pdf
    • https://cdn.shopify.com/s/files/1/0429/5183/5801/files/77359145348.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zovoxumaf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00027d95.bin
5a9bd853e2cc3fb1b171a7b09bd8419f2fae91cf69976a268071a03d96b95120		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27D95 5744 bytes
font_01_sfnt_off00029119.bin
95ad95a9719b12f4abe2fdcb7a047677b91fc17f6eac9c34318af498f1ddeff7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29119 12896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.