Malicious PDF — malware analysis report

Static analysis result for SHA-256 52e7085a3f506025…

MALICIOUS

PDF

245.4 KB Created: 2020-07-27 21:57:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 255a2f084bc3ca52f4500d21cef8392f SHA-1: 7472a2bdf3815676dae5fe90cc49b86e860c2c14 SHA-256: 52e7085a3f506025c01be202e252587b8de685c5cede18c606fb4c37299de963
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.cc'. Additionally, another critical heuristic indicates the document is a lure for recovery secrets or private keys. The embedded URL is likely the initial stage of a phishing attack designed to harvest credentials.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=apache+benchmark++mac
    • http://files.weightknowmore.com/uploads/1/3/0/7/130775201/falujolasu.pdf
    • http://files.euron.co/uploads/1/3/1/3/131398188/d4c6a86.pdf
    • http://files.artexfurniture.com/uploads/1/3/1/3/131384635/fc92a.pdf
    • http://files.enactusguelph.ca/uploads/1/3/0/8/130813997/754623131.pdf
    • http://files.sarahbrothersbot.com/uploads/1/3/1/3/131384555/dukinenugadinov-xukubola-mogigib-mujobutavopoput.pdf
    • https://cdn.shopify.com/s/files/1/0436/7430/4662/files/kitijajufolav.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/72619586694.pdf
    • https://cdn.shopify.com/s/files/1/0433/9302/4151/files/linekowir.pdf
    • https://cdn.shopify.com/s/files/1/0431/6761/3087/files/91498659200.pdf
    • https://cdn.shopify.com/s/files/1/0431/5398/1589/files/93340217261.pdf
    • https://cdn.shopify.com/s/files/1/0430/3667/2162/files/26928931888.pdf
    • https://cdn.shopify.com/s/files/1/0428/5287/6455/files/1248499883.pdf
    • https://cdn.shopify.com/s/files/1/0430/7678/0192/files/vuxuf.pdf
    • https://cdn.shopify.com/s/files/1/0431/5276/9192/files/89756011586.pdf
    • https://cdn.shopify.com/s/files/1/0432/7292/9435/files/zagifezi.pdf
    • https://cdn.shopify.com/s/files/1/0427/8062/3015/files/86950192128.pdf
    • https://cdn.shopify.com/s/files/1/0435/6807/0824/files/74217845896.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000386a9.bin
4d29f7e5a490048135ed6c8e1b1d01db9fe34a55959f7cd6044907992c1fa557		 pdf-font-stream PDF embedded font (sfnt) at offset 0x386A9 4704 bytes
font_01_sfnt_off00039654.bin
d5768e3f122c9b44594dbf5d17b6aec8c5503458d70abead2248ec325071e959		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39654 16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.