Malicious PDF — malware analysis report

Static analysis result for SHA-256 ead4d6db4de9f9bd…

MALICIOUS

PDF

260.6 KB Created: 2020-08-23 22:51:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5c250a70f90b57f271b22f6de02c12bb SHA-1: df6ca07770b6e0eafb65d7cb79880c69621e1773 SHA-256: ead4d6db4de9f9bd32d73ad59646998f2851c1302dc19aa6249d98ae043a6a40
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.cc'. The document body, though heavily obfuscated, appears to contain the same URL. This indicates the primary intent is to redirect the user to a malicious site. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=idsa+guidelines+for+hospital+acquired+pneumonia
    • http://durip.fingers4hiretranscription.com/uploads/1/3/1/4/131437130/1899151.pdf
    • http://files.ustars.org/uploads/1/3/0/8/130815437/5320563.pdf
    • http://sibaviwed.bekindbeyou.com/uploads/1/3/0/8/130874030/6544784.pdf
    • https://cdn.shopify.com/s/files/1/0430/7176/6677/files/bodoni_72_bold_italic_free.pdf
    • https://cdn.shopify.com/s/files/1/0437/9426/8320/files/bocio_coloide_nodular.pdf
    • https://cdn.shopify.com/s/files/1/0430/3034/7938/files/16290141221.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/doragewotupepefe.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/13578549785.pdf
    • https://cdn.shopify.com/s/files/1/0433/3358/2998/files/center_parcs_whinfell_forest_map.pdf
    • https://cdn.shopify.com/s/files/1/0430/4008/0025/files/kufuzafixubabebunapax.pdf
    • https://cdn.shopify.com/s/files/1/0432/2839/7727/files/munezexekaligogawetowegux.pdf
    • https://cdn.shopify.com/s/files/1/0431/4890/2556/files/absceso_hepatico_piogeno.pdf
    • https://cdn.shopify.com/s/files/1/0431/2596/4949/files/40315918295.pdf
    • https://cdn.shopify.com/s/files/1/0434/4505/9749/files/1172053622.pdf
    • https://cdn.shopify.com/s/files/1/0437/2283/4071/files/cbap_certified_business_analysis_professional_all_in_one_exam_guide.pdf
    • https://cdn.shopify.com/s/files/1/0434/8408/6424/files/lopenalufova.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003c16e.bin
b951a4c41f4d5fc2dd9777fc3c5ce13779023ed802d8491e632402ea11d3c568		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C16E 5632 bytes
font_01_sfnt_off0003d467.bin
d1e3c16188ea4a2a87dd5e67dffb0e9b2a851a5da1fe269ed6fba07b7b98a58c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D467 15212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.