Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c5efe213e584d9c…

MALICIOUS

PDF

149.3 KB Created: 2020-08-31 18:32:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9654f3a8c92484de6eaa75b80e1d339f SHA-1: 5e0228375b11c12ee6d052cdbccb4cb9606a24a5 SHA-256: 7c5efe213e584d9c13f4ee3c82de4a6baf697f7d433dc93ebbc35d7dc656b606
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=ancient+greek+pronunciation+guide'. This URL is likely used to lure users to a malicious site. No scripts were extracted, and the document body was heavily obfuscated, making further analysis of the exact payload difficult.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=ancient+greek+pronunciation+guide
    • https://static.usrfiles.com/ugd/b8c837_a95941689db5425b9f4a0dd5103113fd.pdf
    • https://static.usrfiles.com/ugd/b8c837_cf6d042501604a5ab710fa21e3333053.pdf
    • https://static.usrfiles.com/ugd/b8c837_5e117074dfaf411d888b606c2b7bed3b.pdf
    • https://static.usrfiles.com/ugd/de65f7_b94f9d81d7eb4219a355809c1effabb6.pdf
    • https://static.usrfiles.com/ugd/91e123_03d132394a8645acbaddfd3450d6d869.pdf
    • https://cdn.shopify.com/s/files/1/0438/9571/8040/files/givubafadogeraluliwa.pdf
    • https://cdn.shopify.com/s/files/1/0430/8202/3061/files/carrier_hvac_manual.pdf
    • https://cdn.shopify.com/s/files/1/0445/7014/9023/files/describing_adjectives_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0437/5235/8039/files/zanadorasamaritasunowo.pdf
    • https://static.usrfiles.com/ugd/e8506d_7ae2ac1764fd4f9392cd0ab5c75afc95.pdf
    • https://static.usrfiles.com/ugd/b8c837_d92458ecee1c45c6b35af5bffbd129bb.pdf
    • https://static.usrfiles.com/ugd/6846fe_4a5ab0bbddbc4484ac4a262b21514a27.pdf
    • https://static.usrfiles.com/ugd/bd5c68_ef1a583bbd3f4c0ba2001a71e98a6826.pdf
    • https://static.usrfiles.com/ugd/80bfa9_a89fda5f01f74156a9e6edca6cdb462c.pdf
    • https://static.usrfiles.com/ugd/eda9ba_f6983cbbc251429d9aab3e6f4fa81071.pdf
    • https://static.usrfiles.com/ugd/99afdc_6622f9793cdc4ca0b12b86fcd9ef958c.pdf
    • https://static.usrfiles.com/ugd/61f964_a03b21d4a7864f548803cbcce99b8716.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001c7c2.bin
f1e495f34aafaa97647d2baf7b94054cf9b4918cd2f421e1de0a3980e1515465		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C7C2 5084 bytes
font_01_sfnt_off0001d924.bin
576a8540e0a5f99b7d25d5b267e3e2711d078bdd0365f45d8fc5b7e69c0c0d43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D924 38104 bytes
font_02_sfnt_off000230ff.bin
d7efe34de4b67e720ba271cf920b8c56ec33f8450a4ef256dd1948ea6b77630a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x230FF 16344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.