Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bdbb72d8a183da3…

MALICIOUS

PDF

47.4 KB Created: 2020-10-05 09:33:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f0ff8350ef48298f357f2c54ee05f04 SHA-1: 49141f404f8c67f01793a2b92215ba984d064449 SHA-256: 2bdbb72d8a183da30ad9b1e2b2156509b4c1b1f71f86e30117beda6d99d08b2a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link. The embedded URL, https://ttraff.me/pify?keyword=road+to+success+driving+school+reviews, is the primary indicator of malicious activity. The document body, though heavily obfuscated, also contains this URL, suggesting it's the intended lure. The file was authored using wkhtmltopdf, which can be used to generate malicious PDFs.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=road+to+success+driving+school+reviews
    • https://site-1037035.mozfiles.com/files/1037035/basavuzenur.pdf
    • https://site-1037138.mozfiles.com/files/1037138/demenenejadabugorixopij.pdf
    • https://site-1042089.mozfiles.com/files/1042089/tadux.pdf
    • https://site-1036656.mozfiles.com/files/1036656/fetatoxelewevemuvide.pdf
    • https://site-1039350.mozfiles.com/files/1039350/39000354195.pdf
    • https://site-1036956.mozfiles.com/files/1036956/22402201271.pdf
    • https://uploads.strikinglycdn.com/files/88282022-f9d8-4fd6-9935-b4c2c1b679bc/58427010863.pdf
    • https://uploads.strikinglycdn.com/files/16b95012-0015-4925-9965-b627a0519f87/guxubironaxap.pdf
    • https://uploads.strikinglycdn.com/files/c2a6f9fa-6360-4203-b4ec-33d4f10c21f4/jupuguwenijubipililikosu.pdf
    • https://uploads.strikinglycdn.com/files/6bb09cca-110f-4167-9e83-0f03240dc9d3/bipedabudopaxisokabaki.pdf
    • https://uploads.strikinglycdn.com/files/f7487f82-35d1-4070-8ac6-c10e8d5bcb0d/55109080201.pdf
    • https://uploads.strikinglycdn.com/files/a3dd717c-a22c-4122-9845-efd738528a91/vidovoweroduropa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b2b.bin
62340e92d9d22e0f30b6126da89335a4d430ba553f4cba006e08876d03c1f1f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B2B 5360 bytes
font_01_sfnt_off00008d78.bin
73d92ee8dab69fd3a19b286c39dcf1924f08d87c5b1aee65267810ece1df18a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D78 10284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.