PDF malware analysis — malicious · b5fee3629f907591

MALICIOUS

PDF

172.0 KB Created: 2020-08-24 03:47:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 91c1751dfb7484970b79e2070c3ca59c SHA-1: 2552db1baee37a14d9d5e0fb29ef64607616e680 SHA-256: b5fee3629f9075913b0712e8ce6fa11b98a3c857eef017743535f1a352dbfe73

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link. The embedded URL, 'https://ttraff.cc/pify?keyword=bhagavad+gita+full+book', is the primary indicator of malicious intent. This suggests the document is designed to redirect users to a harmful site, likely for phishing or malware distribution. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the exact payload.

Heuristics 2

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=bhagavad+gita+full+book
- http://suluxujex.robirving.ca/uploads/1/3/0/9/130969204/529393.pdf
- http://files.quiltelements.com/uploads/1/3/0/7/130775055/jozuniseg.pdf
- http://files.tepoungamarae.org/uploads/1/3/1/4/131453250/1603304.pdf
- http://files.autumnserenityhealing.com/uploads/1/3/1/1/131164473/5177457.pdf
- http://files.whitegallowaysofwayby.com/uploads/1/3/0/8/130873907/fewubogukobavel-sixomolimu-mifip.pdf
- https://cdn.shopify.com/s/files/1/0431/6499/1637/files/josufapirirumej.pdf
- https://cdn.shopify.com/s/files/1/0428/8705/3475/files/66597850491.pdf
- https://cdn.shopify.com/s/files/1/0435/1796/8536/files/bruhn_structures.pdf
- https://cdn.shopify.com/s/files/1/0427/9821/9420/files/rifavuxivolodako.pdf
- https://cdn.shopify.com/s/files/1/0427/4647/8759/files/4843660957.pdf
- https://cdn.shopify.com/s/files/1/0439/7917/8142/files/shakespeare_in_love_soundtrack.pdf
- https://cdn.shopify.com/s/files/1/0431/6849/7823/files/72175975109.pdf
- https://cdn.shopify.com/s/files/1/0428/7420/8415/files/29298305593.pdf
- https://cdn.shopify.com/s/files/1/0428/9429/5203/files/aerobics_dance_music.pdf
- https://cdn.shopify.com/s/files/1/0432/3278/8648/files/xesakuwamolururoke.pdf
- https://cdn.shopify.com/s/files/1/0429/9161/6153/files/53044671646.pdf
- https://cdn.shopify.com/s/files/1/0433/0097/8853/files/principles_of_bed_making_in_nursing.pdf
- https://cdn.shopify.com/s/files/1/0433/5150/7112/files/cch_ct_ghp_file_bng_foxit_reader.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0002451d.bin` `cfc95f6ebbe6c7949e4fc0636edf484cfbf5ce477271aeccbef11720d3ffa904`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2451D	5208 bytes
`font_01_sfnt_off000256d9.bin` `380998d1091fdc20b7f1c1aeba8d78f77d4373c296f83289b97c927f51825d1c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x256D9	3740 bytes
`font_02_sfnt_off00026253.bin` `f17ea3347cf203d54ee8152e6f7af87648401e472f5587ab3f8496ff3124a090`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x26253	12676 bytes
`font_03_sfnt_off00028a2c.bin` `4675b5cbe4ce24ad253174782b038ee90282bc861d34c8510b8489494f853b58`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x28A2C	6672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.