Malicious PDF — malware analysis report

Static analysis result for SHA-256 8230c0ff8ca981f3…

MALICIOUS

PDF

49.0 KB Created: 2020-08-19 14:50:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6754d5f114e21f837af452a0954b6cef SHA-1: e110f89e7e50a4456037680dcf65cff3016da7bd SHA-256: 8230c0ff8ca981f31898432d39d6e73ede0ef2beade6af171d0d942e01fb28bd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link and a link farm, indicating a phishing or scam attempt. The embedded URL, 'https://ttraff.ru/pify?keyword=onion+root+tip+mitosis+lab+report+discussion', is identified as a malicious redirector. The document body, though heavily obfuscated, contains this URL, suggesting the primary intent is to redirect the user to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=onion+root+tip+mitosis+lab+report+discussion
    • http://files.pammiller.co.uk/uploads/1/3/1/0/131070452/lanaxuwu.pdf
    • http://lalon.sneakerbots4all.com/uploads/1/3/0/7/130776054/5a691c56b3f21.pdf
    • http://files.kelownaplumbingsolutions.com/uploads/1/3/1/3/131398156/vudejinu-kedav-benosagulita.pdf
    • https://cdn.shopify.com/s/files/1/0431/1161/2572/files/academic_english_reading_and_writing_across_the_disciplines_pearson.pdf
    • https://cdn.shopify.com/s/files/1/0440/5982/0182/files/16592079033.pdf
    • https://cdn.shopify.com/s/files/1/0428/3308/4575/files/vijorujafebovo.pdf
    • https://cdn.shopify.com/s/files/1/0433/4285/6345/files/discord_js_totoal_messages.pdf
    • https://cdn.shopify.com/s/files/1/0437/8283/2280/files/47950481956.pdf
    • https://cdn.shopify.com/s/files/1/0431/8117/9048/files/sovirebubere.pdf
    • https://cdn.shopify.com/s/files/1/0436/1102/9667/files/fashion_trend_report_2019.pdf
    • https://cdn.shopify.com/s/files/1/0432/0247/8237/files/kptcl_recruitment_notification_2020.pdf
    • https://cdn.shopify.com/s/files/1/0432/7194/6398/files/32196366384.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000737f.bin
8933025069f3bb6fe6ac15ebefd4c38d6c6ef9aebcc124b93fb1b4a5293c950b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x737F 5268 bytes
font_01_sfnt_off00008539.bin
90ad1016335133064598e9aa6590c972868e23a73d7a84b262e9d519b348a523		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8539 10304 bytes
font_02_sfnt_off0000a869.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA869 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.