Malicious PDF — malware analysis report

Static analysis result for SHA-256 84cec516c149bb3d…

MALICIOUS

PDF

156.7 KB Created: 2020-08-07 01:47:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b3bd9133e74dc579195ee6243c38be0 SHA-1: 8d81f256057f47a4f61107260d44efca2ddaeb06 SHA-256: 84cec516c149bb3d2eb4474cdaf13ed056cf21162276a39fad544893cb379616
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, https://ttraff.com/wb?keyword=sustainable%20development%20and%20environmental%20protection%20appsc%20in%20telugu%20pdf, is the primary indicator of malicious intent. No scripts were extracted, and the document body is heavily obfuscated, making it difficult to determine further actions.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=sustainable%20development%20and%20environmental%20protection%20appsc%20in%20telugu%20pdf
    • http://files.lykeys.com.au/uploads/1/3/0/8/130873869/29c4020b7.pdf
    • http://files.oldfallingsurc.org/uploads/1/3/1/3/131380625/d3d65da08b.pdf
    • http://files.conquergoodcreative.com/uploads/1/3/0/7/130776245/610981.pdf
    • http://files.heathernorrisart.com/uploads/1/3/1/3/131398097/makixuxejovor_lusap.pdf
    • http://daxolawe.kangarooclubhouse.com/uploads/1/3/0/7/130775432/8cdbdae1aef90.pdf
    • https://cdn.shopify.com/s/files/1/0435/3048/5912/files/fafusujine.pdf
    • https://cdn.shopify.com/s/files/1/0431/3687/6695/files/byzantine_church_architecture.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/70278744099.pdf
    • https://cdn.shopify.com/s/files/1/0437/0461/5066/files/3653573348.pdf
    • https://cdn.shopify.com/s/files/1/0437/9593/9488/files/mijekon.pdf
    • https://cdn.shopify.com/s/files/1/0434/1638/7733/files/folofimebumol.pdf
    • https://cdn.shopify.com/s/files/1/0433/9433/4870/files/72186562399.pdf
    • https://cdn.shopify.com/s/files/1/0432/5307/2022/files/anleitung_zur_anlage_er_2020.pdf
    • https://cdn.shopify.com/s/files/1/0430/6593/3973/files/multivariate_data_analysis_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/3459/1907/files/nojekesurorepupixeparunes.pdf
    • https://cdn.shopify.com/s/files/1/0433/2745/5382/files/fivojipidakafaruzeka.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001b3fa.bin
4389680202f7c1371848a1499b9442fd2d06dc306072d41de0e26df17eff9099		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B3FA 5780 bytes
font_01_sfnt_off0001c797.bin
eb50fc29a2b764c6db2dba3e3a73e504ea805a0e8c2f1262f0278e4bd1c46c2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C797 69912 bytes
font_02_sfnt_off00024083.bin
3e558228b1a1c75d196031595f4b705db11568597c418418c5c0d30f94292e10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24083 9564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.