Malicious PDF — malware analysis report

Static analysis result for SHA-256 e48f6b567aaa43a1…

MALICIOUS

PDF

178.5 KB Created: 2020-09-10 18:46:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8da59c6cafa1c592b881105b3847fd6f SHA-1: fe052b9302ddd5053ceb2566072af807044e6e04 SHA-256: e48f6b567aaa43a1993c7cddc6abd50ba1acef339f48be09818538a499994df7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating a malicious redirector link. The embedded URL, 'https://ttraff.club/pify?keyword=americanah+themes+pdf', is identified as malicious. The document body, though heavily obfuscated, contains this URL, suggesting the primary intent is to redirect the user to this malicious site, likely for further exploitation or phishing.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=americanah+themes+pdf
    • http://files.petalcup.com/uploads/1/3/1/3/131380870/vuzudedijelikab.pdf
    • http://files.gabesta007.com/uploads/1/3/1/4/131437932/9325334.pdf
    • http://files.marketingemailnewsletter.us/uploads/1/3/1/4/131453170/697134.pdf
    • https://static.usrfiles.com/ugd/b98abb_999e8baca24a4c6690793fa126c8f390.pdf
    • https://static.usrfiles.com/ugd/4e6dd5_90532c44f3e6457e9984189001a0e81c.pdf
    • https://static.usrfiles.com/ugd/1df9ea_e8f0fe3637f54f7a8e86248e0228e02d.pdf
    • https://static.usrfiles.com/ugd/1b7c00_673b3d4445a8456e86144ad1faa91f88.pdf
    • https://cdn.shopify.com/s/files/1/0430/6763/7922/files/textbook_of_neonatal_resuscitation_7.pdf
    • https://cdn.shopify.com/s/files/1/0431/5077/0333/files/69196625867.pdf
    • https://cdn.shopify.com/s/files/1/0438/2985/4368/files/munuwawo.pdf
    • https://cdn.shopify.com/s/files/1/0435/3048/5915/files/85319884661.pdf
    • https://static.usrfiles.com/ugd/c46c8a_96805b9dd4e84be683b3cc14b82a77df.pdf
    • https://static.usrfiles.com/ugd/b8c837_940384b7959d48c39fa2658203273150.pdf
    • https://static.usrfiles.com/ugd/2b3f46_8e8a6fb6e2034738b32ea81d26259158.pdf
    • https://static.usrfiles.com/ugd/a01749_e647a1bde1274ffbbe5d96ba3d5045d6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off00029c8d.bin
b383ae4b9eb1fb2e0b1b2217cd457a1c72390df1b70f8969506b72689f15fbbf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x29C8D 19504 bytes
font_00_sfnt_off00026334.bin
7d6a543d33840c1eddc07b5460661ab80dd26a4ea204ca4432ac0d3d510f7033		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26334 5352 bytes
font_01_sfnt_off0002753f.bin
0035f697691d0e15105ab8c68f0c464849a69e39e893e0989906a3d7cd6d0f1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2753F 11724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.