Malicious PDF — malware analysis report

Static analysis result for SHA-256 44279aba4fa4da6e…

MALICIOUS

PDF

181.6 KB Created: 2020-08-30 18:59:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 785bdbe719313032b9c95beb17c220c8 SHA-1: 816ad3346577efd6d7ed935970865e32f0fa2f0d SHA-256: 44279aba4fa4da6e9945cbb19c63702fdb2bbf3e88f3fe396164dbc5bb531a2d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, https://ttraff.com/wix?keyword=analyzing+data+1+mouse+experiment+wo, is the primary indicator of malicious intent. This link likely leads to a phishing or malware distribution site. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the exact lure.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=analyzing+data+1+mouse+experiment+wo
    • https://static.usrfiles.com/ugd/91e123_03d132394a8645acbaddfd3450d6d869.pdf
    • https://static.usrfiles.com/ugd/b8c837_cd080db55ec54f028f44cb67d5a5092d.pdf
    • https://static.usrfiles.com/ugd/078c79_3ae85512603d49a4b23842988ca2631e.pdf
    • https://static.usrfiles.com/ugd/b8c837_d2fc01be6ca84681814b5d766f228403.pdf
    • https://static.usrfiles.com/ugd/b8c837_998c35b929f94114bcb44703786bc381.pdf
    • https://static.usrfiles.com/ugd/99afdc_09a5882e376d46d7b0bfc7dbf8915036.pdf
    • https://static.usrfiles.com/ugd/b8c837_1b1a633001ce4af7bdc2582769e90779.pdf
    • https://static.usrfiles.com/ugd/88a84f_4f8be8bd060a4ad79e0db17603a1a309.pdf
    • https://static.usrfiles.com/ugd/1b8612_b6677c6a2a33431ea1d1087b49ebae78.pdf
    • https://static.usrfiles.com/ugd/b8c837_37ebca5215094a1cb1e566d6df96baff.pdf
    • https://static.usrfiles.com/ugd/ac51ce_202bab5acbb24b63a2b02d0db02ac2be.pdf
    • https://static.usrfiles.com/ugd/3aee12_0fc09190d0034bdca00d9a8803205bbb.pdf
    • https://static.usrfiles.com/ugd/04e6f9_4cbe22bf224b4039b82db9a0fe310871.pdf
    • https://static.usrfiles.com/ugd/9ea91e_9070d3ae52d04ccaa974b68927686e77.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002591d.bin
d47ed8e80a02ef68f3154514a32933cecce664f3d5237a5820f881aa29d5fb33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2591D 5632 bytes
font_01_sfnt_off00026c52.bin
9a14c436afc597e2807e8f1959f28b8a0e79b5e0044df77dd217e4bb6c5b02c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26C52 7928 bytes
font_02_sfnt_off000281f6.bin
ee2a6ca2e1e95242f1f91279454dcfe622314661dd29b5e53a02d587ee819a5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x281F6 15480 bytes
font_03_sfnt_off0002b301.bin
1a2b76eb92621148de57a48589384f2ed1ce1add53d2a8f9a0414c0ea737f4f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B301 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.