Malicious PDF — malware analysis report

Static analysis result for SHA-256 5676d5480de486b1…

MALICIOUS

PDF

169.1 KB Created: 2020-08-11 20:46:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 47adf5d446b0e315c2dc8a7b5f66a1d9 SHA-1: 8d53de907b864bacdd230a83f7656368ab05d7ae SHA-256: 5676d5480de486b1744e2b363dd807b64ef6e11eaae05868f0b3e832ca0df170
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=buddha+story+in+telugu+pdf'. This URL is embedded within the document body, suggesting a lure to trick the user into visiting a malicious site. No scripts were extracted, but the presence of the malicious URL is a strong indicator of a phishing or redirection attack.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=buddha+story+in+telugu+pdf
    • http://files.georgiaaglaborforum.com/uploads/1/3/0/7/130740073/zobopulanositax.pdf
    • http://nirebofow.nvsjc.net/uploads/1/3/1/1/131163635/pirubasoso.pdf
    • http://files.californiaconcerto.org/uploads/1/3/1/3/131383544/xevusokebotenog_xaruro_timejivi.pdf
    • http://files.chenguatmit.com/uploads/1/3/1/4/131455069/44829da988479.pdf
    • https://cdn.shopify.com/s/files/1/0431/6718/7108/files/6773675346.pdf
    • https://cdn.shopify.com/s/files/1/0445/4429/5076/files/tofowuxawerorisedewiga.pdf
    • https://cdn.shopify.com/s/files/1/0437/0645/0074/files/autocad_underlay_explode.pdf
    • https://cdn.shopify.com/s/files/1/0433/3718/7493/files/latin_real_book_bass_clef.pdf
    • https://cdn.shopify.com/s/files/1/0428/4504/4892/files/39535416375.pdf
    • https://cdn.shopify.com/s/files/1/0433/2371/9845/files/xodagamofapigakolowol.pdf
    • https://cdn.shopify.com/s/files/1/0430/3526/3138/files/zepidodimedepipune.pdf
    • https://cdn.shopify.com/s/files/1/0434/7750/0056/files/4587678509.pdf
    • https://cdn.shopify.com/s/files/1/0431/8691/3439/files/95783089696.pdf
    • https://cdn.shopify.com/s/files/1/0429/2401/5783/files/44380949609.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00022ce1.bin
1617574fccebb5856d5ccf857bdeb222a8ce84e7bcfd801929062d3c5acc54e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22CE1 5456 bytes
font_01_sfnt_off00023f69.bin
77f1c9b0d9bb4cfcc3177387a2210667efeeea7fdada8152cd6df06409f22598		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23F69 7300 bytes
font_02_sfnt_off00025361.bin
72ad8bfa4e003a861d61bd920d1948d880581ddc1c81b6b6c44a0eb3870b7b9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25361 18008 bytes
font_03_sfnt_off000288bd.bin
6da8543db128ba3d4a0de7dd57787bfd371c5571568906e972c083e804cba9ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x288BD 3448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.