Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9c3f3594ac2192a…

MALICIOUS

PDF

33.8 KB Created: 2020-08-20 09:41:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9ea96cfcce7a8fd2d38d6d2eb6826c0c SHA-1: f20546b861b3ea3ad229558d2dd9afae27027c76 SHA-256: b9c3f3594ac2192aab7c09f976df5b7bd381b1a21b9087368d31470aba1a3d74
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The link, 'https://ttraff.cc/pify?keyword=full+hd+bollywood+movies++online', is designed to lure users by promising movie access, likely leading to a malicious download or phishing page. The presence of a visual download button heuristic further supports this social engineering tactic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=full+hd+bollywood+movies++online
    • http://files.bshelart.com/uploads/1/3/2/7/132741397/bbcd2276f95856.pdf
    • http://files.shopykapparel.com/uploads/1/3/1/6/131637774/birejamofew_zarifiborosod_digasagaxumofi_bitujusuvupuka.pdf
    • https://cdn.shopify.com/s/files/1/0431/3183/0421/files/27737988724.pdf
    • https://cdn.shopify.com/s/files/1/0428/4828/8935/files/65039861641.pdf
    • https://cdn.shopify.com/s/files/1/0429/6730/2303/files/schindler_s_list_theme_violin.pdf
    • https://cdn.shopify.com/s/files/1/0437/5016/2581/files/garefafoterob.pdf
    • https://cdn.shopify.com/s/files/1/0437/9112/2584/files/englisch_bungen_uhrzeiten_klasse_5_arbeitsbltter.pdf
    • https://cdn.shopify.com/s/files/1/0434/6649/0006/files/foundations_of_analog_and_digital_electronic_circuits_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/5168/7837/files/3112894160.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000464f.bin
11bf6451b3580c143a82ffd47de0c9f207352d0a4e4849c322c6f8eeb8ad79a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x464F 5108 bytes
font_01_sfnt_off000057ab.bin
8163a619df7ef9af1d2004302981ca252dbc90a4fb3dba527383522d343d3cfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57AB 10576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.