Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc46c1d0a49885d3…

MALICIOUS

PDF

588.8 KB Created: 2020-08-12 21:44:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6220d5d0444225e218fc00c82c46d0f7 SHA-1: 78e0ea47283a457cd010db0b5f044444ba7ae19a SHA-256: bc46c1d0a49885d3be699006c2e242fd5d8396ab10e11d74f4d96b8f7d534bc2
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating a malicious redirector link. The embedded URL, 'https://ttraff.ru/pify?keyword=aerospace+manufacturing+processes+pradip+k.+saha+pdf', is directly linked to this malicious activity. The document body, though heavily obfuscated, appears to contain the same URL, reinforcing the lure. No scripts were extracted, limiting further analysis of the payload.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=aerospace+manufacturing+processes+pradip+k.+saha+pdf
    • http://sogab.farmercityumc.org/uploads/1/3/1/1/131163635/tibowutiz.pdf
    • http://wudebu.jillkerttula.com/uploads/1/3/0/7/130739459/losifisuw.pdf
    • http://files.gulfbreezeschoolofmusic.com/uploads/1/3/0/7/130776826/a55b02dc894ea9e.pdf
    • http://files.farcornersmusicals.org/uploads/1/3/2/6/132681342/4262702.pdf
    • http://files.pianissimoensemble.com/uploads/1/3/1/8/131871433/1899659.pdf
    • https://cdn.shopify.com/s/files/1/0427/7737/8972/files/zofisuwizinupurexisat.pdf
    • https://cdn.shopify.com/s/files/1/0431/8288/2980/files/veruvolejuxosulazukuga.pdf
    • https://cdn.shopify.com/s/files/1/0434/5433/3093/files/canine_dental_chart.pdf
    • https://cdn.shopify.com/s/files/1/0432/9088/6299/files/1394287239.pdf
    • https://cdn.shopify.com/s/files/1/0436/0326/3650/files/physical_chemistry_9th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0434/5865/8469/files/xedonezapo.pdf
    • https://cdn.shopify.com/s/files/1/0430/3365/7507/files/57017483398.pdf
    • https://cdn.shopify.com/s/files/1/0433/1791/9912/files/71082264324.pdf
    • https://cdn.shopify.com/s/files/1/0438/8143/1195/files/46035316487.pdf
    • https://cdn.shopify.com/s/files/1/0434/8854/2872/files/70540104320.pdf
    • https://cdn.shopify.com/s/files/1/0435/5905/9605/files/free_photoshop_trial.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0008ba61.bin
bc49a479a34b8f750a96f84a76d593a7b33f05e203d403e5031c6d9aa1aeb92d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BA61 5624 bytes
font_01_sfnt_off0008cd54.bin
d304b07fda154ba5c01c8085f9d40e7153789f472d3e061d0246e04baeeb0231		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CD54 2472 bytes
font_02_sfnt_off0008d792.bin
83e519dd7a47c24a74e0d84a7663c716b66e7414380d0c054916e73e5a689211		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D792 16860 bytes
font_03_sfnt_off00090c4d.bin
8673cfec7487bdecd527dba541a94796c6884566affd58989ab5d3dcd9393336		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90C4D 16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.