Malicious PDF — malware analysis report

Static analysis result for SHA-256 48d611244138a447…

MALICIOUS

PDF

397.4 KB Created: 2020-08-10 17:27:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 43aba6ebfa26bd69e686947de1bf2534 SHA-1: 3b89fe6ffe0b2e10296ec7b587b7868458ad639f SHA-256: 48d611244138a447ee09c9ac782edae234433191e74cb64563b1ca299f5438b7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, https://ttraff.cc/pify?keyword=el+camino+del+guerrero+pacifico+pdf+descargar, is the primary indicator of malicious intent. This suggests the document is designed to lure the user to a potentially harmful website. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the exact payload.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=el+camino+del+guerrero+pacifico+pdf+descargar
    • http://xexozi.summitrootsfarm.co/uploads/1/3/1/4/131408738/2577571.pdf
    • http://files.oaksthreekeys.com/uploads/1/3/0/9/130969754/zejobepujeku.pdf
    • http://files.riverrunranch.net/uploads/1/3/1/3/131383651/4872657.pdf
    • https://cdn.shopify.com/s/files/1/0435/6807/0815/files/collins_vocabulary_for_ielts_mp3.pdf
    • https://cdn.shopify.com/s/files/1/0448/0057/3601/files/backstage_passes_and_backstabbing_bastards.pdf
    • https://cdn.shopify.com/s/files/1/0428/3714/7811/files/zukidakaworixixawevas.pdf
    • https://cdn.shopify.com/s/files/1/0433/4757/4949/files/bawinurezegugunarivu.pdf
    • https://cdn.shopify.com/s/files/1/0432/7368/3100/files/gixowop.pdf
    • https://cdn.shopify.com/s/files/1/0431/2036/1629/files/kumav.pdf
    • https://cdn.shopify.com/s/files/1/0431/5545/6149/files/maxozegum.pdf
    • https://cdn.shopify.com/s/files/1/0430/0131/5491/files/zemagoduxa.pdf
    • https://cdn.shopify.com/s/files/1/0434/2215/4908/files/76851108567.pdf
    • https://cdn.shopify.com/s/files/1/0433/5976/4634/files/dugojabogonumakujuderu.pdf
    • https://cdn.shopify.com/s/files/1/0429/2031/2991/files/rilewexesakagopoj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005df29.bin
02792d906334d51e3a9025fb138f3c3a02629c13432b4b6e5b09f3ca730f94dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DF29 5236 bytes
font_01_sfnt_off0005f0d6.bin
ae067731f7d51e5bd3a40a33a919dd494cc977afca5ae56160fb66aa13edbe3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F0D6 11632 bytes
font_02_sfnt_off0006169f.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6169F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.