Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5608e8e69bd2f25…

MALICIOUS

PDF

572.2 KB Created: 2020-08-07 03:24:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6aec4b0220ccc0221af96208034ff9aa SHA-1: f16348babfac333e0e9be6d5ccee0d99202962ef SHA-256: b5608e8e69bd2f257f3192340ffa9e26eb34c4bda81fe717a64c5fe0565a6f17
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating it's a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=grade+12+mathematics+textbook+pdf+free+download'. The document body, though heavily obfuscated, also contains this URL, suggesting the primary intent is to redirect users to potentially harmful content under the guise of providing free educational materials. No scripts were extracted, limiting further analysis of execution behavior.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=grade+12+mathematics+textbook+pdf+free+download
    • http://files.premiertruckparts.ca/uploads/1/3/1/8/131860204/tezofinimaxuka-nirafetobe.pdf
    • http://files.tnooyi.com/uploads/1/3/1/4/131483083/d796050628.pdf
    • http://files.peppahead.com/uploads/1/3/0/7/130740563/ximojot.pdf
    • http://files.ibstudyskills.com/uploads/1/3/2/6/132696263/vopajuwe.pdf
    • https://cdn.shopify.com/s/files/1/0434/7074/9856/files/mitususapunipefoxukujepuf.pdf
    • https://cdn.shopify.com/s/files/1/0430/6521/3079/files/26808115891.pdf
    • https://cdn.shopify.com/s/files/1/0432/3504/9640/files/92387877618.pdf
    • https://cdn.shopify.com/s/files/1/0435/3048/5915/files/wovid.pdf
    • https://cdn.shopify.com/s/files/1/0428/7306/1532/files/wipuxufepetakux.pdf
    • https://cdn.shopify.com/s/files/1/0428/9062/5191/files/relegexitibojerurelowuf.pdf
    • https://cdn.shopify.com/s/files/1/0433/8289/8840/files/gitaxaxodoxa.pdf
    • https://cdn.shopify.com/s/files/1/0428/2331/9715/files/20103386724.pdf
    • https://cdn.shopify.com/s/files/1/0429/6815/4278/files/63002527373.pdf
    • https://cdn.shopify.com/s/files/1/0440/5529/8213/files/34085341302.pdf
    • https://cdn.shopify.com/s/files/1/0427/8448/9631/files/vegabejekozefogedanifuxi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00086189.bin
e9636ec00b0c84393cac35ec8fba7d0649c346ea1691f3f5f7afbc58af783ab2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86189 5976 bytes
font_01_sfnt_off0008759a.bin
ff651309bbdcff8c983c3c2fd0aa72d32c614acd8e9f29413d7b25ea97b27f97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8759A 1188 bytes
font_02_sfnt_off00087c6c.bin
fd30f42c6d368a4901baed232524f0a2cc3880fa561cd4f38a7ebfb43e2f81a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87C6C 2848 bytes
font_03_sfnt_off000887c4.bin
f8c3b4688217afe190adfbb4dcab44d3aaff3294eb74270dd3232cbbc814eb59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x887C4 19184 bytes
font_04_sfnt_off0008c3f3.bin
b54c958d5444b5df95cdb6f7a7441a75764355ad907375ae35120e3e31f42936		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C3F3 17736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.