Malicious PDF — malware analysis report

Static analysis result for SHA-256 8dde3889b580cab8…

MALICIOUS

PDF

182.8 KB Created: 2020-08-04 17:25:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 551be050bac9df529a6593dff74be39b SHA-1: 700e30aecdb029599fdcb40a480dfec2a4d15487 SHA-256: 8dde3889b580cab8865fbd75755c10eeaf38c4a5bde83f660dfcfb699571d161
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=holt+mcdougal+algebra+1+pdf+answers'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The file type and the nature of the URL indicate a phishing attempt disguised as a document download.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=holt+mcdougal+algebra+1+pdf+answers
    • http://files.blackandbrownarebeautiful.com/uploads/1/3/0/7/130740138/a6ce21ddf739.pdf
    • http://files.visualratio.com/uploads/1/3/1/3/131383456/8384621.pdf
    • http://files.rabbithillhome.com/uploads/1/3/0/9/130969681/vidusubupet_rufaba_xikupajizikot.pdf
    • http://kitog.confetticakeshop.com/uploads/1/3/1/4/131482853/wejozenarosazu_vevewimopili_rugipal.pdf
    • http://files.australianfoodie.com/uploads/1/3/1/4/131483955/3712783.pdf
    • https://cdn.shopify.com/s/files/1/0430/6088/7705/files/22480202981.pdf
    • https://cdn.shopify.com/s/files/1/0437/1356/0727/files/sacred_contracts_caroline_myss.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rejumaxerufu.pdf
    • https://cdn.shopify.com/s/files/1/0431/2121/3591/files/pakebavopufa.pdf
    • https://cdn.shopify.com/s/files/1/0431/3861/3415/files/nugobifomazupebejatuli.pdf
    • https://cdn.shopify.com/s/files/1/0429/8558/6849/files/44069253065.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/58014629257.pdf
    • https://cdn.shopify.com/s/files/1/0432/1958/3133/files/1842838718.pdf
    • https://cdn.shopify.com/s/files/1/0435/3464/7445/files/xray_texture_pack_1._7_10.pdf
    • https://cdn.shopify.com/s/files/1/0436/9799/5944/files/dmv_cheat_sheet_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0002913d.bin
bd92f4f33eb6f0c7dd3c2ac318e77e19396f5942bcd58a095cbe14babc098b20		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2913D 7992 bytes
font_00_sfnt_off00027025.bin
4f3ce39fa2c1cf7a8107a0537c1ad780c61ec057aa1a8938ff266f58238e2a9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27025 3848 bytes
font_01_sfnt_off00027dd1.bin
4c92b99b849f9efb2fb96c89bb7f933c3dc5c8e686be67024011736dc82df312		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27DD1 5720 bytes
font_03_sfnt_off0002a763.bin
a91127083e5cb791632cd25cd966d5cfbc844b487be8b8d34ed0ff3e475accee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A763 10948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.