Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6995930fdfefe41…

MALICIOUS

PDF

248.1 KB Created: 2020-08-15 06:16:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a37d6747a89a436893c50689d85f02a SHA-1: df5b29d33536e3a571f05fb473cb027813c3f5ee SHA-256: a6995930fdfefe41296425f553703f8adcaf2257c2befa7e25b18f6eb02c72a2
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=annual+report+of+apple+2018-+19'. The document body, though heavily obfuscated, contains this same URL, suggesting it's the primary lure. The heuristic 'SE_INVOICE_LURE' further supports the phishing pretext by indicating the document language is designed to trick the user into taking action. The file type is PDF, and the authoring application is wkhtmltopdf, which can be used to generate PDFs from web content, potentially to disguise malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=annual+report+of+apple+2018-+19
    • http://jegos.omrocommunity.org/uploads/1/3/1/4/131407405/pinepozeremoxo.pdf
    • http://files.nancyohlin.com/uploads/1/3/0/7/130775516/7055728.pdf
    • https://cdn.shopify.com/s/files/1/0432/6011/7160/files/lijesul.pdf
    • https://cdn.shopify.com/s/files/1/0431/9641/6157/files/60064751170.pdf
    • https://cdn.shopify.com/s/files/1/0430/0773/8019/files/xapasusonegotovaniv.pdf
    • https://cdn.shopify.com/s/files/1/0431/6066/6274/files/83685559511.pdf
    • https://cdn.shopify.com/s/files/1/0437/1356/0727/files/hospitality_financial_accounting_2nd_edition.pdf
    • https://cdn.shopify.com/s/files/1/0449/5346/9083/files/odisha_police_si_exam_syllabus.pdf
    • https://cdn.shopify.com/s/files/1/0428/3459/1907/files/pisotokokilaxejez.pdf
    • https://cdn.shopify.com/s/files/1/0431/8353/8331/files/liwopawabisit.pdf
    • https://cdn.shopify.com/s/files/1/0429/4026/8711/files/85256847588.pdf
    • https://cdn.shopify.com/s/files/1/0429/3407/5558/files/83311551387.pdf
    • https://cdn.shopify.com/s/files/1/0431/4890/2557/files/55765541223.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003769b.bin
b62558f899d520dee9047450ddf27a69b8114854fd977823ce12cff33e07f627		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3769B 5412 bytes
font_01_sfnt_off00038915.bin
bd2ddad8557f26e42e19ffff2f68eacb7190dba38c6f5584333c997ef08be050		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38915 16628 bytes
font_02_sfnt_off0003bc5e.bin
1d4d671ae502080d93142a7eeda7a219ae6747fc4e119e8b75dad7192e420eff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BC5E 16208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.