Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4fe3a8f52502e80…

MALICIOUS

PDF

151.1 KB Created: 2020-08-01 06:16:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c0e267dc204307095fbe20f2714ede2 SHA-1: f993adc6902d1c95e440f143b82ceca8588c73c5 SHA-256: e4fe3a8f52502e800948317ca71b98509c231d6370c60bf10f658cd70fbe648f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, 'https://ttraff.com/pify?keyword=a+linear+systems+primer+solution+manual+pdf', is the primary indicator of malicious intent. This type of redirection is commonly used to lead users to phishing sites or to initiate malware downloads.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=a+linear+systems+primer+solution+manual+pdf
    • http://files.ambrosroadhouse.com/uploads/1/3/1/3/131398242/9584501.pdf
    • http://files.sarahrosepeterson.net/uploads/1/3/1/4/131438439/tiwoxekofoze.pdf
    • http://files.australianhiking.com/uploads/1/3/2/7/132741149/domedadenozuduxedi.pdf
    • http://files.tylergulden.com/uploads/1/3/0/8/130814666/aa0f3d91a72a3.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/taniseraguvifololesugom.pdf
    • https://cdn.shopify.com/s/files/1/0428/1712/6567/files/1676293994.pdf
    • https://cdn.shopify.com/s/files/1/0429/6497/5765/files/53176691905.pdf
    • https://cdn.shopify.com/s/files/1/0431/0669/7367/files/94841753891.pdf
    • https://cdn.shopify.com/s/files/1/0428/4553/6419/files/91672100073.pdf
    • https://cdn.shopify.com/s/files/1/0429/6025/7177/files/tezamoziga.pdf
    • https://cdn.shopify.com/s/files/1/0431/6938/2568/files/kufupekat.pdf
    • https://cdn.shopify.com/s/files/1/0441/3286/0056/files/92836829652.pdf
    • https://cdn.shopify.com/s/files/1/0432/5857/7046/files/63778037683.pdf
    • https://cdn.shopify.com/s/files/1/0433/8050/6785/files/74218550824.pdf
    • https://cdn.shopify.com/s/files/1/0429/4203/8182/files/wogegokif.pdf
    • https://cdn.shopify.com/s/files/1/0431/1479/1069/files/warefosoxowesit.pdf
    • https://cdn.shopify.com/s/files/1/0429/8244/1113/files/80785075715.pdf
    • https://cdn.shopify.com/s/files/1/0440/8508/4310/files/zamupiduretuvomoxiv.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00021649.bin
948fd4bbffdcef53fd0a503a6f20f0efbaa505580ca6d0e33efdf0535adfd5d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21649 5276 bytes
font_01_sfnt_off00022831.bin
dd1a2297ddb0320843caf62ec468a691667e3c7323ec0f38bb1425c25ef96c02		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22831 11052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.