Malicious PDF — malware analysis report

Static analysis result for SHA-256 2806a56a804c8387…

MALICIOUS

PDF

40.2 KB Created: 2020-08-27 17:29:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: abc8bc309ce8be5dbf1546e08c316a09 SHA-1: 92a79293d9a63c735f474ef4dd96ee2ee52debba SHA-256: 2806a56a804c8387f4095f48e4ba4f023ac54066dd9cc5f51d70a0a596525331
220 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1539 Steal Application Data

This PDF document functions as a credential harvesting lure, specifically targeting Apple ID login information and potentially MFA codes. The document body contains text and embedded URLs designed to trick users into visiting malicious sites. The heuristic firings indicate the presence of a malicious redirector link and a lure for MFA or recovery secret harvesting, consistent with phishing tactics. The primary malicious URL identified is https://ttraff.club/pify?keyword=www.+iforgot.+apple.+com+espa%25C3%25B1ol, which is likely used to redirect users to a phishing page.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=www.+iforgot.+apple.+com+espa%25C3%25B1ol
    • http://jomaxe.breadivore.com/uploads/1/3/1/3/131383791/jipigozobar-diregiged-dozudovesikokim-wamukegibaxifid.pdf
    • http://files.nickelcityalchemy.com/uploads/1/3/1/3/131380158/a502a481c3698.pdf
    • http://files.frankhagancontracting.com/uploads/1/3/2/6/132681404/zatamutofineve.pdf
    • http://tusife.lauramatheny.com/uploads/1/3/0/7/130739593/fixebu-figinaxakofil.pdf
    • http://files.milenaciciotti.com/uploads/1/3/0/8/130874095/b94d0ab8.pdf
    • https://cdn.shopify.com/s/files/1/0431/2157/4044/files/10727360848.pdf
    • https://cdn.shopify.com/s/files/1/0439/2960/0155/files/moxukabopu.pdf
    • https://cdn.shopify.com/s/files/1/0430/0200/3609/files/asylum_game_chapter_8_answers.pdf
    • https://cdn.shopify.com/s/files/1/0438/8575/6568/files/lufatorepi.pdf
    • https://cdn.shopify.com/s/files/1/0438/9027/8568/files/exercice_leur_leurs_cm1.pdf
    • https://cdn.shopify.com/s/files/1/0461/7266/8057/files/fevepogepuxoxixidufabora.pdf
    • https://cdn.shopify.com/s/files/1/0428/5169/6796/files/gate_agricultural_engineering_syllabus_2020.pdf
    • https://cdn.shopify.com/s/files/1/0431/7993/3862/files/muzogovomamux.pdf
    • https://cdn.shopify.com/s/files/1/0431/0702/5060/files/nojuva.pdf
    • https://cdn.shopify.com/s/files/1/0431/8212/9320/files/edit_change_text_color.pdf
    • https://cdn.shopify.com/s/files/1/0432/0496/8603/files/garment_specification_sheet_template.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005caa.bin
ad39628217aa373cb04565899401f4675adc6bb325f8503fd92c18bf875fb18a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CAA 5684 bytes
font_01_sfnt_off00006fcf.bin
b46084e8622371c1927b373a2da5ab54d544fbdcf30169a79cdc8618979e77ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FCF 10144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.