Malicious PDF — malware analysis report

Static analysis result for SHA-256 25696604cc49fa36…

MALICIOUS

PDF

399.8 KB Created: 2020-08-22 05:33:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4595ceb38498f60b3b839acabe0e0b50 SHA-1: ffafdc6671630289a13bb65787b1587fb1d203a4 SHA-256: 25696604cc49fa36f91fb7b16e6c996ea5d6baf6aab7abff0f2522929f1873b0
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=kubot+the+aswang+chronicles+2++kickass'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The presence of a 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates that the document may be intended to trick the user into providing a password for a separate archive, likely containing a malicious payload. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=kubot+the+aswang+chronicles+2++kickass
    • http://files.bajaartcollective.com/uploads/1/3/1/4/131407284/tixadivemu.pdf
    • http://xoduler.libertytechcharter.org/uploads/1/3/1/4/131483152/5a99507b.pdf
    • http://files.innerpathways.ca/uploads/1/3/1/4/131406885/682429.pdf
    • http://vofened.dancandell.com/uploads/1/3/1/3/131384429/xarovazavapu_nibafedo.pdf
    • http://files.mattzarley.com/uploads/1/3/0/9/130969572/3761779.pdf
    • http://zylscaxfhzlp.com/zylscaxfhzlp/lt;a
    • http://zylscaxfhzlp.com/zylscaxfhzlp/lt;a'gt
    • https://cdn.shopify.com/s/files/1/0435/0902/2886/files/ziwat.pdf
    • https://cdn.shopify.com/s/files/1/0431/5742/2229/files/dufaxanizax.pdf
    • https://cdn.shopify.com/s/files/1/0430/7389/6602/files/48118032386.pdf
    • https://cdn.shopify.com/s/files/1/0431/4978/7285/files/xukubanu.pdf
    • https://cdn.shopify.com/s/files/1/0432/5244/9444/files/pafonisumufinarope.pdf
    • https://cdn.shopify.com/s/files/1/0434/5479/1832/files/catalogue_muji.pdf
    • https://cdn.shopify.com/s/files/1/0429/3433/7695/files/momuzolaturubisomog.pdf
    • https://cdn.shopify.com/s/files/1/0438/9981/4056/files/xunuxunidojo.pdf
    • https://cdn.shopify.com/s/files/1/0435/2458/7674/files/18522668817.pdf
    • https://cdn.shopify.com/s/files/1/0436/9186/8310/files/keynote_templates_for_powerpoint_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_012_off0005eaff.bin
ce1d5464458e5c0441f7b00635b4cfdf6b57c8de0f730e7ab58da86eafde45c0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5EAFF 30688 bytes
font_00_sfnt_off00056a0d.bin
e21af44dd405cff1346ef8ce91cbd1a86f36e4e2b8772f25cab7bcf0b0aaac58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56A0D 10608 bytes
font_01_sfnt_off00058cd0.bin
4103a58796cf730084875deab0e1c32bf1ca881b12e48a887f2c5ced2c124dbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58CD0 5456 bytes
font_02_sfnt_off00059f5b.bin
f8267c7def47dbd799928b07b0ebfda9e5f47948007c10a33c2f1e12fb5eb854		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59F5B 5920 bytes
font_03_sfnt_off0005ae4a.bin
bfeed19938278a754a7cbe71fa710cf35e96a89662d33271dc8d2f4fd67b2c80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AE4A 22628 bytes
font_05_sfnt_off0006218c.bin
3bb30b657fbb0be88d0bb9792a036cf54b59140ab892bd9a9b807d85c403954d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6218C 3248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.