Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4567a1268cc85c5…

MALICIOUS

PDF

184.1 KB Created: 2020-08-23 15:46:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 812ccf9a1197140a1764540c3feab8ab SHA-1: 2bf748a2d7ed0dcf29243938f0372451b87db4f7 SHA-256: c4567a1268cc85c59167ea122ee40c324867afb430659802f4a147c8508a8151
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=aortic+insufficiency+esc+guidelines'. The document body, though heavily obfuscated, contains references to this URL, suggesting the primary intent is to trick the user into visiting this malicious site. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=aortic+insufficiency+esc+guidelines
    • http://files.pilatesdonewright.com/uploads/1/3/1/3/131384401/6711733.pdf
    • http://galoro.latutora.org/uploads/1/3/1/4/131453119/xifemijajaxemurapuz.pdf
    • https://cdn.shopify.com/s/files/1/0438/6983/1323/files/wwe_2k15_community_creations.pdf
    • https://cdn.shopify.com/s/files/1/0435/2301/4824/files/glossaire_du_transport_maritime.pdf
    • https://cdn.shopify.com/s/files/1/0431/5817/5906/files/judolonorinopas.pdf
    • https://cdn.shopify.com/s/files/1/0438/3123/0614/files/abyssal_demon_afk_guide.pdf
    • https://cdn.shopify.com/s/files/1/0433/5848/6678/files/pavovufasavap.pdf
    • https://cdn.shopify.com/s/files/1/0436/7283/0105/files/54212818166.pdf
    • https://cdn.shopify.com/s/files/1/0430/7091/4717/files/zidexomamaki.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/5552762143.pdf
    • https://cdn.shopify.com/s/files/1/0433/5045/8520/files/waste_management_project_work.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000279f6.bin
602dc44c379888fb1d868bb5fbf6d9767657a9cf74dcb003feb4cbd13a3c0e0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x279F6 5072 bytes
font_01_sfnt_off00028b53.bin
ec875e5b795f6bbc3591ac8c2832b4283dad361c94142d61d8bafd9dbd7934e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28B53 15656 bytes
font_02_sfnt_off0002bcc1.bin
43dd7310e986e37c0562d6efd2a67b6291a0d41fa892ecd43b306c3e7231f7b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BCC1 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.