Malicious PDF — malware analysis report

Static analysis result for SHA-256 df23a0cd7bc2964c…

MALICIOUS

PDF

37.7 KB Created: 2020-09-01 22:27:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a5ec5b28b29ccbb2edbb7ad1e35e035 SHA-1: ac3e220570355eadedf11485a368eb0ca9a16c32 SHA-256: df23a0cd7bc2964c7a6506fc1bf0e1a2b606c1cc5193cd13e64f250ac2d48077
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating it is a malicious redirector link. The embedded URL, https://ttraff.ru/wix?keyword=lol+champion+build+guides, is the primary indicator of malicious activity. The document body, though heavily obfuscated, also contains this URL, reinforcing the redirection attempt. No scripts were extracted, limiting further analysis of the payload.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=lol+champion+build+guides
    • https://cdn.shopify.com/s/files/1/0431/5119/6315/files/lightest_reader_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0428/5480/9759/files/bijoxemo.pdf
    • https://cdn.shopify.com/s/files/1/0435/0086/3643/files/73537299657.pdf
    • https://cdn.shopify.com/s/files/1/0438/2231/7728/files/characteristics_of_descriptive_research.pdf
    • https://static.usrfiles.com/ugd/b0cd75_7802e2d0e2e24cc39ef122e55d61b730.pdf
    • https://cdn.shopify.com/s/files/1/0432/5559/5172/files/lefiriloziwerur.pdf
    • https://cdn.shopify.com/s/files/1/0432/1925/5454/files/yahoo_for_laptop_windows_7.pdf
    • https://static.usrfiles.com/ugd/e33828_f86a469c2d324d61a05a8a5848d70c3e.pdf
    • https://static.usrfiles.com/ugd/345929_55b8e8d0db1d427493f4713bf90117de.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054c7.bin
82e3cc0bea2e8b8c048540d393e0a0f1a200fb8d4cfd48ca1927de6609e329a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54C7 5472 bytes
font_01_sfnt_off00006735.bin
13c8d54c562abf708e5982ee350611177d85e58fd8576c5950e36d8aca7239e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6735 10388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.