Malicious PDF — malware analysis report

Static analysis result for SHA-256 c54451c7fc85492d…

MALICIOUS

PDF

255.3 KB Created: 2020-08-29 19:55:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de0ae3c2d64da67bafcd68a9ac9e0031 SHA-1: 482fe382da2d0f2e98e45192a9ead113980bd956 SHA-256: c54451c7fc85492d8de864aa2c4852ad1a30c6db9e7ddd1b21a726280f156477
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic indicating a malicious redirector link to 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL. This suggests the primary intent is to redirect the user to a malicious site, likely for phishing or malware distribution. The 'SE_URGENCY_LURE' heuristic further supports the social engineering aspect of this attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=starpoint+gemini+warlords+trade+routes
    • https://cdn.shopify.com/s/files/1/0464/4883/6776/files/percentage_calculator_software.pdf
    • https://cdn.shopify.com/s/files/1/0437/6746/4085/files/beragigovejamapaguvipi.pdf
    • https://cdn.shopify.com/s/files/1/0432/4373/3154/files/blynk_premium_apk.pdf
    • https://cdn.shopify.com/s/files/1/0433/2794/6904/files/35125122123.pdf
    • https://cdn.shopify.com/s/files/1/0465/3052/7382/files/36176317141.pdf
    • https://cdn.shopify.com/s/files/1/0427/5650/5756/files/fetosalozowig.pdf
    • https://cdn.shopify.com/s/files/1/0429/6504/1311/files/24327048629.pdf
    • https://cdn.shopify.com/s/files/1/0436/8793/6150/files/small_and_decentralized_wastewater_management_systems.pdf
    • https://cdn.shopify.com/s/files/1/0429/9502/4023/files/33297349070.pdf
    • https://cdn.shopify.com/s/files/1/0429/8699/5863/files/msc_mathematical_physics_books.pdf
    • https://cdn.shopify.com/s/files/1/0431/6738/3712/files/88379936230.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002f9f6.bin
4db3faa59ca9ec1e0c26affbc44c0918ad9f2ccc8b272ea1b9de7f4b096d441c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F9F6 46432 bytes
font_01_sfnt_off0003893d.bin
54159d08c81f1bcd33515a630a526ecfa7f3fbb155125867de8d357bc950d9c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3893D 5472 bytes
font_02_sfnt_off00039bc0.bin
12ea97118240708894ba8bcc529779bf9494227854b3595c3e0b8ce6e1c83595		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39BC0 7772 bytes
font_03_sfnt_off0003b5b6.bin
8e6a8d6b3055b806d293b8f4b723c578e24551041909dae5e63ddc10d9a73fcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B5B6 18272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.