Malicious PDF — malware analysis report

Static analysis result for SHA-256 37df49c84ff9cf4d…

MALICIOUS

PDF

220.3 KB Created: 2020-08-07 01:29:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 51db2313b4c10a171a31cac8d716d38d SHA-1: d6a39e800fb0a862654a4c6b3a0caba35627b8d2 SHA-256: 37df49c84ff9cf4dfced9b648e8202d27d7c2ae6841b799ae311aed36951c575
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, https://ttraff.com/pify?keyword=autobiography+of+mahatma+gandhi+pdf, is the primary indicator of malicious intent. The document body, though heavily obfuscated, also contains this URL, reinforcing its role in the attack. The file type and authoring application suggest it was generated programmatically, likely to obscure its malicious payload.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=autobiography+of+mahatma+gandhi+pdf
    • http://files.kerishea.com/uploads/1/3/2/6/132682913/bovazari_lesifavab.pdf
    • http://files.hamiltongrace.org/uploads/1/3/2/8/132814241/deratewaripizi.pdf
    • http://files.pittsburghdieselkings.com/uploads/1/3/1/1/131164236/vonamusetexuxu.pdf
    • http://files.whatdowewantfilms.com/uploads/1/3/2/7/132740637/9566840.pdf
    • https://cdn.shopify.com/s/files/1/0433/0848/2710/files/41605091881.pdf
    • https://cdn.shopify.com/s/files/1/0427/8134/3903/files/zovaxurutukogivanenorasaf.pdf
    • https://cdn.shopify.com/s/files/1/0428/5323/6902/files/73767111029.pdf
    • https://cdn.shopify.com/s/files/1/0435/3998/8648/files/menijez.pdf
    • https://cdn.shopify.com/s/files/1/0428/4622/4540/files/fumexolasarinofarexoku.pdf
    • https://cdn.shopify.com/s/files/1/0433/1008/8360/files/vazafetirivivimojuwilotok.pdf
    • https://cdn.shopify.com/s/files/1/0434/2985/5393/files/sql_injection_attacks_and_defense_second_edition_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/7153/6285/files/dimel.pdf
    • https://cdn.shopify.com/s/files/1/0431/1823/1709/files/sirifozixafusejumosomegi.pdf
    • https://cdn.shopify.com/s/files/1/0432/0290/4222/files/42020073059.pdf
    • https://cdn.shopify.com/s/files/1/0439/9949/4302/files/tosamizimufatatu.pdf
    • https://cdn.shopify.com/s/files/1/0439/2275/1643/files/patukasabemovewogurud.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00030d13.bin
6e5ef3f8f7f1d1b1914f16c4a9f3a8d0d4d83e8a95985dc15d5f69127769945e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30D13 5476 bytes
font_01_sfnt_off00031f90.bin
f21b05a2340b363a1ed8b0bbfc234bf9da5e90c1c639b98be765a2f280f9ba06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31F90 5236 bytes
font_02_sfnt_off0003301d.bin
a178426f1cf6b0c26e2ffa6bcb793b4c7e92ef8fea62f9b826009a845436ab18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3301D 12032 bytes
font_03_sfnt_off00035740.bin
1e0d5806c011263fead0d0a97ee2ef622c56622b8772aec8198e3c33d023e126		 pdf-font-stream PDF embedded font (sfnt) at offset 0x35740 2688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.