Malicious PDF — malware analysis report

Static analysis result for SHA-256 87070ef56545fe1e…

MALICIOUS

PDF

46.8 KB Created: 2020-08-30 12:20:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b7c2a928a41d8fb49abb34de49eec47 SHA-1: 24b5fd4da561bd0be8cd7887a60669c680f254c3 SHA-256: 87070ef56545fe1e1b75c7aee690595138bae5a3fb0efcbbc1d767b05853a37d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, https://ttraff.ru/wix?keyword=sistema+electrico+automotriz+pdf+conevyt, is the primary indicator of malicious intent. This suggests the document is designed to lure users to a potentially harmful external site. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=sistema+electrico+automotriz+pdf+conevyt
    • https://cdn.shopify.com/s/files/1/0434/0721/2709/files/kopikokujimalo.pdf
    • https://cdn.shopify.com/s/files/1/0462/6985/7941/files/kugutarixeda.pdf
    • https://cdn.shopify.com/s/files/1/0430/4424/1557/files/pay_slip_template_australia.pdf
    • https://cdn.shopify.com/s/files/1/0443/5450/2812/files/chunky_heel_platform_boots_designer.pdf
    • https://static.usrfiles.com/ugd/b8c837_f3f4a0e144e5436d86d7252bc50e2254.pdf
    • https://static.usrfiles.com/ugd/4d6844_946cd0ee12714848ba885e56762bb17c.pdf
    • https://static.usrfiles.com/ugd/b8c837_ac53635124eb441db042ed01f2acdd7a.pdf
    • https://cdn.shopify.com/s/files/1/0434/0069/1862/files/airport_codes_list.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/82973104521.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000686a.bin
9161152224eed58c1108e3701fbca1f59cf7c75bf668eadf3a68af7183f2c767		 pdf-font-stream PDF embedded font (sfnt) at offset 0x686A 5496 bytes
font_01_sfnt_off00007b07.bin
94c4de8a473a04af1b6a47e2137dfac0cb9c77862f9a973105e19d6919174ef4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B07 11088 bytes
font_02_sfnt_off00009ebe.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9EBE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.