Malicious PDF — malware analysis report

Static analysis result for SHA-256 df684f1c421801cf…

MALICIOUS

PDF

281.7 KB Created: 2020-07-30 19:41:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c08e718650b5f5dc75efb646bc4a252 SHA-1: 20bb3f53dd674b24f97befdbe6f75ee5605d85a8 SHA-256: df684f1c421801cf6e9f0fb136a6453dbd06a1d25d9ff3bf32541dcc5869583c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link. This link, 'https://ttraff.ru/pify?keyword=arcady+petrov+livros+pdf', is the primary indicator of malicious intent. The document body appears to be malformed or heavily obfuscated, providing no clear textual lure. No scripts were extracted from this sample. The presence of the malicious URL strongly suggests a phishing or redirection attack.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=arcady+petrov+livros+pdf
    • http://files.proteus-internetmarketing.com/uploads/1/3/1/6/131637014/nejit_tuvuwirejivat.pdf
    • http://files.hiltonheadislandinvitational.com/uploads/1/3/1/6/131637150/benepoxisu.pdf
    • http://files.irelandandchina.com/uploads/1/3/2/6/132682681/91f4755f8af2f5.pdf
    • http://files.mepalparish.org/uploads/1/3/1/4/131407194/sogitixijapemil.pdf
    • http://files.madonnaforinspiration.com/uploads/1/3/1/0/131070561/8da74ae57f01d.pdf
    • https://cdn.shopify.com/s/files/1/0429/8362/0757/files/70647342024.pdf
    • https://cdn.shopify.com/s/files/1/0437/3141/9287/files/puros.pdf
    • https://cdn.shopify.com/s/files/1/0430/3519/7602/files/70322680073.pdf
    • https://cdn.shopify.com/s/files/1/0431/4470/8245/files/4858464488.pdf
    • https://cdn.shopify.com/s/files/1/0431/7678/8134/files/17465238647.pdf
    • https://cdn.shopify.com/s/files/1/0430/4257/0401/files/pizuboxedajidomumapupeje.pdf
    • https://cdn.shopify.com/s/files/1/0435/8494/6333/files/bimuxiwubesus.pdf
    • https://cdn.shopify.com/s/files/1/0431/2930/7293/files/50670123013.pdf
    • https://cdn.shopify.com/s/files/1/0430/8120/3861/files/25626939983.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gubiwunezekubukezo.pdf
    • https://cdn.shopify.com/s/files/1/0430/8120/3861/files/3206480152.pdf
    • https://cdn.shopify.com/s/files/1/0432/2872/5405/files/31967081414.pdf
    • https://cdn.shopify.com/s/files/1/0427/9291/1007/files/jamovodapikumaju.pdf
    • https://cdn.shopify.com/s/files/1/0432/6716/2276/files/popoxajejadixopenetaneveg.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000407c0.bin
8c1eb9a4da4ef2a0e72cb3f1cb3f5ad1d50f9928796efd86b4f3fee91dc66db6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x407C0 1840 bytes
font_01_sfnt_off000410ab.bin
95dfac53e58070df2d97093f5359bce2b352d97575aebd30c2a69f46cf451635		 pdf-font-stream PDF embedded font (sfnt) at offset 0x410AB 4980 bytes
font_02_sfnt_off000421b6.bin
3d5231a0f9c90050e7822bf0f901f3804165bee35d1e5681067067fa4ffb54aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x421B6 19596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.