Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c2dc01c58166e51…

MALICIOUS

PDF

50.5 KB Created: 2020-08-31 03:01:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 602c37b5d589251a29394c5de25b7a3d SHA-1: 4d13d86852e7790338b56c6f97c8c902969d24f6 SHA-256: 2c2dc01c58166e51f96a26bcb2d5339dea8be2ec4049ed99734e8567f32eb014
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, https://ttraff.com/wix?keyword=yume+de+yozora+wo+terashitai, is identified as the malicious destination. While no scripts were extracted, the presence of this link strongly suggests a phishing or malware delivery attempt.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=yume+de+yozora+wo+terashitai
    • https://cdn.shopify.com/s/files/1/0434/8909/9938/files/nibot.pdf
    • https://cdn.shopify.com/s/files/1/0435/2458/7679/files/larobulogogizosanatowopo.pdf
    • https://cdn.shopify.com/s/files/1/0428/8688/9625/files/mekofisenef.pdf
    • https://cdn.shopify.com/s/files/1/0433/4993/4229/files/nolubafowefalazofokofux.pdf
    • https://cdn.shopify.com/s/files/1/0431/8255/5297/files/15777836784.pdf
    • https://cdn.shopify.com/s/files/1/0428/9291/8947/files/american_psychological_association_referencing_style.pdf
    • https://static.usrfiles.com/ugd/b8c837_189295f9b67f465890b07b2c896eb7bb.pdf
    • https://static.usrfiles.com/ugd/1b8612_975f718c11d4407fa3b5d23ff9afe43f.pdf
    • https://static.usrfiles.com/ugd/e2f7e1_1a821885175442249c0123c697865600.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000512f.bin
2f32373152b86590eb5c993bf8dbb57d20fc33770b92bc1ec6b5fd985d660553		 pdf-font-stream PDF embedded font (sfnt) at offset 0x512F 2828 bytes
font_01_sfnt_off00005b38.bin
a901391cea30820d4841f391dff87e433a6ee2bd992b14104d921b5a5b1f3382		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B38 5012 bytes
font_02_sfnt_off00006c5f.bin
d54c80cccefebbcdf6332114efdf8947302f1e2d955cf1752148f08c512150cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C5F 13936 bytes
font_03_sfnt_off00009856.bin
39b2f4b99ee08965fd4836f89f628a00cde8346cb181131bba0308e80db8fb67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9856 16092 bytes
font_04_sfnt_off0000ad1d.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD1D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.