Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc8e85ddb7c932d4…

MALICIOUS

PDF

153.5 KB Created: 2020-08-09 03:12:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 697411e0ceaf71d74e60f8c5758fa400 SHA-1: 995d20a2d303a15318e2273486fe22cef16c30db SHA-256: cc8e85ddb7c932d44a2f37e69d0ede0d22b94898ff46b4f17ccbcc5f89bd22e8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, 'https://ttraff.cc/pify?keyword=all+motherboard+company+name+list+pdf', is the primary indicator of malicious intent, likely leading to a phishing or malware download site. The document body, though heavily obfuscated, contains this URL, reinforcing its role in the attack. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=all+motherboard+company+name+list+pdf
    • http://files.godsgracehawaii.com/uploads/1/3/0/7/130738636/7045218.pdf
    • http://files.mssimonsays.org/uploads/1/3/1/3/131383380/neguxizufetek-xazaxakurogiri-nikotesari.pdf
    • http://files.pixiepatchbda.com/uploads/1/3/0/7/130739835/2a99548d5c75.pdf
    • http://files.sdicebox.com/uploads/1/3/1/8/131871786/ronobujudixijubes.pdf
    • http://files.hijabifiedclothing.com/uploads/1/3/1/4/131454791/mefis_lemedix_kadatisiweled.pdf
    • https://cdn.shopify.com/s/files/1/0429/2732/5351/files/shuffle_dataframe_pandas.pdf
    • https://cdn.shopify.com/s/files/1/0430/5272/8474/files/95189922392.pdf
    • https://cdn.shopify.com/s/files/1/0429/1392/3228/files/lasugasaxedibidigelover.pdf
    • https://cdn.shopify.com/s/files/1/0436/0205/1229/files/final_fantasy_15_strategy_guide.pdf
    • https://cdn.shopify.com/s/files/1/0429/0389/6217/files/tuzekorewe.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/96989945255.pdf
    • https://cdn.shopify.com/s/files/1/0427/9212/4572/files/ridgid_generator_parts.pdf
    • https://cdn.shopify.com/s/files/1/0440/6919/1832/files/architectural_design_conceptualization.pdf
    • https://cdn.shopify.com/s/files/1/0430/2825/0781/files/monofemuxexoxodek.pdf
    • https://cdn.shopify.com/s/files/1/0429/9902/1717/files/zirulusoj.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kepikopu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001ffa9.bin
fd93d9e793e665ce0d787b21becab9252515bb06c4c876b687bba28df55be4f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FFA9 5628 bytes
font_01_sfnt_off000212a2.bin
f395fa65378ac3d76379a5c06296a41139872990c9ccc77ff3ad84712a883ff7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x212A2 16900 bytes
font_02_sfnt_off000246f5.bin
c4cae46235622515584c4177a15ccbdca02b129ed3f527cb31c6b97a1d8f44ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x246F5 4368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.