Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f36d0991b8c34ce…

MALICIOUS

PDF

153.8 KB Created: 2020-08-04 22:09:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 81bb8e07c5558ed6501df6633162d32e SHA-1: 80881ae75219d1f52cc02b25cb34e726c37fd695 SHA-256: 8f36d0991b8c34ceddd9bfe7c212a1c00ab86ef444a4273abda4d42fb7b980ab
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=understanding+comics+scott+mccloud+pdf'. This indicates the document is designed to redirect users to potentially harmful websites. The document body, though heavily obfuscated, contains the same URL, reinforcing its malicious intent. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=understanding+comics+scott+mccloud+pdf
    • http://vovedipif.beavercrossministries.com/uploads/1/3/0/7/130776326/dubopalanugaso_zifofes_jabuledipif.pdf
    • http://files.tukatafoundation.org/uploads/1/3/2/8/132814990/166765.pdf
    • http://files.varvelsporthorses.com/uploads/1/3/2/7/132741089/zozun-zunapif-xepageraseb-puzadogop.pdf
    • https://cdn.shopify.com/s/files/1/0439/8078/3774/files/ancient_gold_dragon_5e.pdf
    • https://cdn.shopify.com/s/files/1/0437/6566/1845/files/27792559987.pdf
    • https://cdn.shopify.com/s/files/1/0429/8568/5153/files/42300158239.pdf
    • https://cdn.shopify.com/s/files/1/0438/8470/7992/files/bbc_english_book_class_9.pdf
    • https://cdn.shopify.com/s/files/1/0430/9401/6157/files/bikipetupebepusotenax.pdf
    • https://cdn.shopify.com/s/files/1/0432/8266/1526/files/lodafugexamuxanonut.pdf
    • https://cdn.shopify.com/s/files/1/0432/4868/1120/files/41199235748.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/77084518355.pdf
    • https://cdn.shopify.com/s/files/1/0432/3105/1943/files/27539584647.pdf
    • https://cdn.shopify.com/s/files/1/0430/7661/6341/files/toxagawew.pdf
    • https://cdn.shopify.com/s/files/1/0431/2875/0241/files/tubaserojizox.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002229c.bin
9f399326fee07128a4fbe67fb5fd07e9dff2cd24c19f507f3f3be959b794a266		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2229C 5468 bytes
font_01_sfnt_off00023524.bin
1c3ede96e3608109b957f9ed0ef81905998af1fb5a0a91558556fb8a12dcf3c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23524 10676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.