Malicious PDF — malware analysis report

Static analysis result for SHA-256 9831cd5613668cfc…

MALICIOUS

PDF

41.4 KB Created: 2020-09-02 12:50:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 134fa07c8c184841921cb50a7525c036 SHA-1: 4fa0240b296047a2955d4700ee6d034f9e3de647 SHA-256: 9831cd5613668cfcb183a8894537360a5b2de75784177167502bc147a4abdcda
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link identified as a malicious redirector. This link, when clicked, leads to 'https://ttraff.link/wix?keyword=active+directory+administration+cookbook+pdf', suggesting a phishing or malware distribution attempt. The presence of a visual download button further supports the lure. No scripts were extracted, but the malicious link is the primary indicator of compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=active+directory+administration+cookbook+pdf
    • https://cdn.shopify.com/s/files/1/0434/8795/3053/files/xorokase.pdf
    • https://cdn.shopify.com/s/files/1/0460/6001/1675/files/appareillage_brique.pdf
    • https://cdn.shopify.com/s/files/1/0433/4800/0927/files/15866152939.pdf
    • https://cdn.shopify.com/s/files/1/0431/1734/6965/files/jofenojigesuruji.pdf
    • https://static.usrfiles.com/ugd/b41a9a_a2928f8cbef74f23bc1fdb7d66144eb3.pdf
    • https://static.usrfiles.com/ugd/b8c837_58c0e2677d264bdfb97c9b6145d5f366.pdf
    • https://static.usrfiles.com/ugd/b8c837_c079e397d6b543469c9d93c04b4a128c.pdf
    • https://static.usrfiles.com/ugd/0511f5_0544ff3833f546d681bb8990c069c416.pdf
    • https://static.usrfiles.com/ugd/5a4aad_5e9a32490de74437b85ce3fd956b7539.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062c0.bin
a9d67d1e134b42e84c42bcb8f4ba7dc49945e49b12b0ffe839d78ee6449e93cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62C0 5624 bytes
font_01_sfnt_off000075d9.bin
2c8bbbb8356d7c9c14aad6b634e7893473f278f73e1d8694514f218b35878c03		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75D9 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.