Malicious PDF — malware analysis report

Static analysis result for SHA-256 d992ff3314e608db…

MALICIOUS

PDF

148.5 KB Created: 2020-08-05 06:01:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 607a54ed439ef81b33c6432b4f661462 SHA-1: cec9c29d25526ba726a89086166376a93a8421d5 SHA-256: d992ff3314e608dbe9434e8c2d672a2f7c5017c21cc30a64cab4c0aad3b8eb92
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=augmented+reality+pdf'. While the document body is heavily obfuscated, the presence of this malicious URL strongly suggests an attempt to lure the user to a harmful site. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=augmented+reality+pdf
    • http://files.whatisib.com/uploads/1/3/1/8/131856860/lotuxomeza-legajuvodelus-juzibuwutaxa-purab.pdf
    • http://files.bhatnagarlab.com/uploads/1/3/1/6/131636665/f7c38de17637db4.pdf
    • http://files.astarboards.com/uploads/1/3/2/7/132740485/618c23614bbce9.pdf
    • http://files.artofeliamariamc.com/uploads/1/3/1/4/131408017/8674534.pdf
    • https://cdn.shopify.com/s/files/1/0437/0821/9560/files/vlookup_formula_example.pdf
    • https://cdn.shopify.com/s/files/1/0435/3854/6840/files/86862014651.pdf
    • https://cdn.shopify.com/s/files/1/0432/3773/6603/files/10230815787.pdf
    • https://cdn.shopify.com/s/files/1/0427/6781/0726/files/kokisibifixivirowej.pdf
    • https://cdn.shopify.com/s/files/1/0432/7243/7910/files/vukasanu.pdf
    • https://cdn.shopify.com/s/files/1/0434/9270/4408/files/51429487201.pdf
    • https://cdn.shopify.com/s/files/1/0432/2315/4847/files/fundamental_attribution_error_theory.pdf
    • https://cdn.shopify.com/s/files/1/0439/7786/7422/files/11301826798.pdf
    • https://cdn.shopify.com/s/files/1/0432/7853/2758/files/69419121142.pdf
    • https://cdn.shopify.com/s/files/1/0433/4351/1702/files/14861434347.pdf
    • https://cdn.shopify.com/s/files/1/0430/6409/8970/files/74413956313.pdf
    • https://cdn.shopify.com/s/files/1/0438/3732/5472/files/nunufo.pdf
    • https://cdn.shopify.com/s/files/1/0432/4104/6171/files/gafunufirufogi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001f3ae.bin
1a794082407cbc98a7fe9986b15af6110fec8851ba4539c482a9fc9dbbfd2192		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F3AE 7252 bytes
font_01_sfnt_off00020c10.bin
3057b82f3049a39949cbbe71ccd4d54e1496e7380d0d42b803cdf6eee6e18ba7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20C10 5272 bytes
font_02_sfnt_off00021df7.bin
eba5f266be5c018179d212f13590fad858ebb50605d9735b1751abea6601a065		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21DF7 11472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.