Malicious PDF — malware analysis report

Static analysis result for SHA-256 e10d394aac66d91b…

MALICIOUS

PDF

177.7 KB Created: 2020-08-15 02:29:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 22165a5b74e833174b9a73dbd413e25c SHA-1: 2cb135887eb58918e26909d9daa74cb09b3f9a39 SHA-256: e10d394aac66d91b9677c29f5fb58b85774544809696db79b67de0bf2402d543
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=sinusitis+guidelines+thai'. This URL is likely used to redirect the user to a malicious site. The document body, though heavily obfuscated, contains text that suggests an urgency lure, further supporting a phishing or malware delivery attempt. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=sinusitis+guidelines+thai
    • http://ginawala.pineridgecleaning.com/uploads/1/3/1/0/131070450/kivub.pdf
    • https://cdn.shopify.com/s/files/1/0429/8581/6218/files/58809716974.pdf
    • https://cdn.shopify.com/s/files/1/0432/1506/1153/files/lovomiwotoge.pdf
    • https://cdn.shopify.com/s/files/1/0434/1802/6142/files/gamazodoxif.pdf
    • https://cdn.shopify.com/s/files/1/0432/6440/9755/files/39253953837.pdf
    • https://cdn.shopify.com/s/files/1/0430/1992/7713/files/fekupuzixosobobidewe.pdf
    • https://cdn.shopify.com/s/files/1/0429/5308/0991/files/bunker_mentality_size_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/0587/8167/files/30500497997.pdf
    • https://cdn.shopify.com/s/files/1/0430/8572/5857/files/47947552309.pdf
    • https://cdn.shopify.com/s/files/1/0432/9376/9894/files/9728308565.pdf
    • https://cdn.shopify.com/s/files/1/0432/9072/2472/files/38335915783.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00025ee8.bin
5bd67b2fff22a612a69cde9a39fa8701a6a8c5871c1a30a2278db31e753b5b1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25EE8 5096 bytes
font_01_sfnt_off00027026.bin
5204f36d98913dd5c3fdf6585f49f9f3bc65cccded3e0e937e435e4a1a272875		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27026 16160 bytes
font_02_sfnt_off0002a307.bin
d45d12848958282de39b142cfa09707c71f16ee380687cf2864ad244dcb0ce69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A307 16608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.