PDF malware analysis — malicious · 4b1196554c538784

MALICIOUS

PDF

182.6 KB Created: 2020-08-03 08:56:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6c4a94654a71b8dc31e0c7832657b8d3 SHA-1: 9108f893af19a29902a32054bdfd69e6e1b1ffa6 SHA-256: 4b1196554c538784c69ba1507e1c7832371b73c3abca220b3a4b4d0b45225271

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. This indicates the document's primary purpose is to lure users to a potentially malicious site. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine further actions. The presence of the malicious URL is the most significant indicator of compromise.

Heuristics 2

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=_%2528+%25E3%2583%2584%2529+_%252F%25C2%25AF
- http://files.internationalpsychologyandhealing.com/uploads/1/3/0/9/130969811/716190.pdf
- http://files.balticsportsciencesociety.com/uploads/1/3/1/1/131164442/7559044.pdf
- http://files.goldlawcolorado.com/uploads/1/3/1/3/131383982/zenafemi.pdf
- https://cdn.shopify.com/s/files/1/0433/8191/5798/files/pudujetipozaxularaze.pdf
- https://cdn.shopify.com/s/files/1/0431/3631/9645/files/papadixotawotenora.pdf
- https://cdn.shopify.com/s/files/1/0431/8032/7076/files/puviw.pdf
- https://cdn.shopify.com/s/files/1/0437/9472/7074/files/futoduzemopel.pdf
- https://cdn.shopify.com/s/files/1/0438/0485/2386/files/my_chemical_romance_sing_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0428/7207/8499/files/fesudoxukupamen.pdf
- https://cdn.shopify.com/s/files/1/0432/2885/6487/files/92611516091.pdf
- https://cdn.shopify.com/s/files/1/0431/0623/8613/files/15093860823.pdf
- https://cdn.shopify.com/s/files/1/0432/6447/5299/files/nuvugotex.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_003_off00008c18.bin` `3a49b2d6f637a25567705194d22c04a5265d255fa11f14a04b0fdb21e97c02eb`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x8C18	157852 bytes
`stream_006_off0002714e.bin` `737fdb128980c29202f199d669df1c2b9bc8674595f8343a561c7e0c0acd5c0c`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x2714E	1540 bytes
`font_01_sfnt_off000257a3.bin` `d0f323bc3ef08f10b6c97744d4c8d27a5caaee0184c284dbfc639d16f25ba9fb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x257A3	3048 bytes
`font_02_sfnt_off00026261.bin` `940c337334f5fedc2b71aa6dc8abfbdf60933a023ce837b7595973d9449fc002`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x26261	4324 bytes
`font_04_sfnt_off0002798d.bin` `1dee64feb338e2cc595d88a35b766ea8b8b199e124349708576bb4cf11bee47e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2798D	1772 bytes
`font_05_sfnt_off00028240.bin` `9991d2db6b5c36f6351e4abe45bd26866d866bb74f3c970d3d590e6fec3e9aae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x28240	12712 bytes
`font_06_sfnt_off0002ada3.bin` `31fa92d257eb6c570745d05f57fafca321066faa8eb9d95a5c528efb15d15cd7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2ADA3	17812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.