Malicious PDF — malware analysis report

Static analysis result for SHA-256 379d192b1111eb79…

MALICIOUS

PDF

251.5 KB Created: 2020-08-08 03:28:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f134d19d4e66719a2af246d204664e91 SHA-1: 52cadf244aec030a290e2ff36daebb876ec7820d SHA-256: 379d192b1111eb798cc81623ace87b445c3385bbac9e3449bb3f60e1a87de942
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic indicating a malicious redirector link. The document body, though heavily obfuscated, contains the same URL found in the heuristic. This suggests the document's primary purpose is to trick the user into visiting the malicious URL, likely for a phishing or malware distribution scheme. The urgency lure heuristic further supports this malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=carbamates+pesticides+pdf
    • http://nusunu.gvjhslibrary.org/uploads/1/3/1/4/131454012/64142ed2.pdf
    • http://files.vickijansma.com/uploads/1/3/2/7/132712214/570834.pdf
    • http://files.aimeelora.com/uploads/1/3/1/3/131398085/vovejisepak-rufuvepuzeg-jitegogor-jizowugudovo.pdf
    • https://cdn.shopify.com/s/files/1/0437/3685/8776/files/fumagotifofo.pdf
    • https://cdn.shopify.com/s/files/1/0434/2795/4854/files/bransden_joachain_quantum_mechanics_solutions_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/8230/7989/files/bach_bwv_998_guitar.pdf
    • https://cdn.shopify.com/s/files/1/0431/0938/4343/files/83296759418.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vexib.pdf
    • https://cdn.shopify.com/s/files/1/0429/6884/2393/files/jaxatubisavuvewu.pdf
    • https://cdn.shopify.com/s/files/1/0435/2652/0987/files/macbook_pro_2011_graphics_card_upgrade.pdf
    • https://cdn.shopify.com/s/files/1/0435/3887/4532/files/las_nacionalidades_en_frances.pdf
    • https://cdn.shopify.com/s/files/1/0431/6214/0840/files/93731017322.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00039979.bin
135138e8e46bafbc55ce1662ecf3175a6854d76eac39807b186d3afc491ff84c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39979 5316 bytes
font_01_sfnt_off0003ab6e.bin
e4f53e5014abd9689ea512b2c9a8ff9f7f40481b7f4eec4e7b7b647ac7cc9f4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3AB6E 16932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.