Malicious PDF — malware analysis report

Static analysis result for SHA-256 a62f205340f83a1f…

MALICIOUS

PDF

157.6 KB Created: 2020-08-24 21:54:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2feb2e52fb5e8f0f9c60d346d5521288 SHA-1: d57df6dfba328ac6dd683ef78686526289bb05ee SHA-256: a62f205340f83a1f5dbfc8b405eb811427118a12c198bfa15ff2bb24a28ad827
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.cc/pify?keyword=clcss+latest+guidelines'. The document body also contains urgency language, suggesting a lure to entice the user to click the malicious link. No scripts were extracted, but the primary attack vector appears to be the malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=clcss+latest+guidelines
    • http://files.kiddiesloungenursery.com/uploads/1/3/0/7/130775286/3373241.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/54729765263.pdf
    • https://cdn.shopify.com/s/files/1/0434/4145/5254/files/felipoz.pdf
    • https://cdn.shopify.com/s/files/1/0432/5956/0086/files/ripexasujesumivipefibele.pdf
    • https://cdn.shopify.com/s/files/1/0429/8702/8641/files/parofelegajowezalaguwomuv.pdf
    • https://cdn.shopify.com/s/files/1/0429/9145/2314/files/48320863191.pdf
    • https://cdn.shopify.com/s/files/1/0429/5108/2143/files/java_convert_word_to.pdf
    • https://cdn.shopify.com/s/files/1/0434/5593/8720/files/18706828492.pdf
    • https://cdn.shopify.com/s/files/1/0429/3882/6918/files/98331808218.pdf
    • https://cdn.shopify.com/s/files/1/0430/2176/2723/files/dedodibezupufema.pdf
    • https://cdn.shopify.com/s/files/1/0465/1106/3190/files/collaborative_forecasting_implementation_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/5847/0813/files/3629348244.pdf
    • https://cdn.shopify.com/s/files/1/0433/3741/6869/files/wukebikimijesi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002168e.bin
aa20b906ef9566ce97820f1e6f4e3b0c975b2664beb9dd6e16f1dc23865c43cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2168E 4808 bytes
font_01_sfnt_off000226dc.bin
58b4873d33ac9fffaf45ed1a2312b8eb5fadf3b067e77f8cfe9e87095f6a7717		 pdf-font-stream PDF embedded font (sfnt) at offset 0x226DC 6068 bytes
font_02_sfnt_off0002368d.bin
3d37f4e27c59bf294e7d088e23e04aef3b1c5b02ede9fcf924aa9ed5190d6ffe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2368D 10404 bytes
font_03_sfnt_off000259f7.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x259F7 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.