Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7d0d4f40691ac44…

MALICIOUS

PDF

202.9 KB Created: 2020-08-15 08:15:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 44d398d766e0477277ffd0381f10ea4b SHA-1: d9964aa0dcba69587fa3953423b15082918391c2 SHA-256: b7d0d4f40691ac447807193eedcaff9630e6a89f05832e408c4a01eef8fd38cb
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=pottu+amman+film+songs+free'. The document body, though heavily obfuscated, also contains this URL. The presence of urgency language in the heuristics suggests a social engineering attempt to trick the user into clicking the malicious link, likely leading to a further stage of infection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=pottu+amman+film+songs+free
    • http://jenalidi.goldenrodhistoricalsociety.com/uploads/1/3/0/8/130814328/pedotodaxureforudu.pdf
    • https://cdn.shopify.com/s/files/1/0433/9548/1750/files/tifebunalalajavavi.pdf
    • https://cdn.shopify.com/s/files/1/0429/2821/0073/files/9672421472.pdf
    • https://cdn.shopify.com/s/files/1/0430/9408/1687/files/fosigel.pdf
    • https://cdn.shopify.com/s/files/1/0430/5358/0439/files/kakirilebin.pdf
    • https://cdn.shopify.com/s/files/1/0430/4365/1741/files/taco_bell_overwatch_codes.pdf
    • https://cdn.shopify.com/s/files/1/0440/1581/2766/files/el_alquimista_h._p._lovecraft.pdf
    • https://cdn.shopify.com/s/files/1/0431/6620/4066/files/rorakejapaxepu.pdf
    • https://cdn.shopify.com/s/files/1/0431/5460/4198/files/az_100_book.pdf
    • https://cdn.shopify.com/s/files/1/0433/0671/3253/files/kudawasujofuxilezosob.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002e0cf.bin
145ed8d1ecbe4c8e98a9f957e94e9d662d60dbf90157b272d9fa8934a7521fe3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E0CF 5088 bytes
font_01_sfnt_off0002f204.bin
36b0a97f85bea7a2266f37da94ce86b5de7001e98c23ed590f3058e5ce5ebf36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F204 13948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.