Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c60f3ec4f658084…

MALICIOUS

PDF

187.6 KB Created: 2020-08-01 18:29:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bcc20c873e5f920728ed4bbe4dbef59 SHA-1: 2099e84c2ed9a4f5ec52e7661f487df93c3a30b4 SHA-256: 4c60f3ec4f658084fd2e027870ffa2a0069e9a9304424c327283ece80d4aa38d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link to 'ttraff.com'. This suggests the document is designed to lure the user to a potentially harmful external site. No scripts were extracted, and the document body was heavily obfuscated, preventing further analysis of its specific intent beyond the redirection.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=necron+codex+pdf+7th
    • http://files.jennifercronk.com/uploads/1/3/1/4/131437806/2616584.pdf
    • http://files.angelwolfcomics.com/uploads/1/3/0/7/130776131/vafugaxug.pdf
    • http://files.rcdavis-tellinstories.com/uploads/1/3/1/3/131383624/ebc2656e5828c5.pdf
    • http://files.varghesemathai.com/uploads/1/3/1/4/131482952/8104148.pdf
    • http://files.rabbithatdesigns.com/uploads/1/3/1/4/131453061/8c0e05bd.pdf
    • https://cdn.shopify.com/s/files/1/0436/8711/6965/files/dubuzaguxizepir.pdf
    • https://cdn.shopify.com/s/files/1/0430/2084/5210/files/27452808651.pdf
    • https://cdn.shopify.com/s/files/1/0433/8037/5704/files/veranotalimexutavu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/14490041284.pdf
    • https://cdn.shopify.com/s/files/1/0435/5060/5461/files/59827271058.pdf
    • https://cdn.shopify.com/s/files/1/0433/1818/2041/files/96952066508.pdf
    • https://cdn.shopify.com/s/files/1/0435/4893/4295/files/65560961851.pdf
    • https://cdn.shopify.com/s/files/1/0433/5376/8095/files/28441388901.pdf
    • https://cdn.shopify.com/s/files/1/0433/4603/4846/files/kusimegajugomakes.pdf
    • https://cdn.shopify.com/s/files/1/0433/9361/3989/files/bizixot.pdf
    • https://cdn.shopify.com/s/files/1/0434/5564/3813/files/90194432577.pdf
    • https://cdn.shopify.com/s/files/1/0437/8548/6498/files/28753707754.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002ac41.bin
de23735cc5736bef8bf1c9af8167c851d8578ea3c49da44749f257a8040c0840		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2AC41 4940 bytes
font_01_sfnt_off0002bd26.bin
252243e0b508ddd656c9a6212c4be94b0eec64c5ac9df2f284393810fbaa22e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BD26 10508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.