Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec91bd47dbf8c578…

MALICIOUS

PDF

146.8 KB Created: 2020-08-02 10:09:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 424ea40cb873f3dfedd2040557ad5019 SHA-1: dba0e457b426c8cf7afd8a10bce6645e95f520b0 SHA-256: ec91bd47dbf8c578fc91b9924f893ea3d459f1a7b58aec888ef9e27b43c98f2d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link. The embedded URL 'https://ttraff.cc/pify?keyword=uk+phone+number+format' is the primary indicator of malicious intent. The document body, though heavily obfuscated, appears to contain the same URL, reinforcing its role in the attack. The file was authored using wkhtmltopdf, suggesting it might be a generated document rather than a typical user-created one.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=uk+phone+number+format
    • http://files.sheng.studio/uploads/1/3/2/3/132302787/5644156.pdf
    • http://files.fancyshihtzus.com/uploads/1/3/1/6/131607163/sobiwetu-wepevuxot-texoligipa.pdf
    • http://files.wellspring-contemporary-art.com/uploads/1/3/1/3/131379312/9db8c8ce1e65.pdf
    • http://files.cypressgulf.com/uploads/1/3/2/6/132695493/rupebulezonidugoz.pdf
    • http://files.hamdenfieldhockey.com/uploads/1/3/2/6/132682585/rovenovubaxufasi.pdf
    • https://cdn.shopify.com/s/files/1/0427/6636/8935/files/rufavenadafetalakux.pdf
    • https://cdn.shopify.com/s/files/1/0432/6581/8789/files/form_st_105.pdf
    • https://cdn.shopify.com/s/files/1/0437/6225/3978/files/84646427924.pdf
    • https://cdn.shopify.com/s/files/1/0432/6303/3502/files/18330399517.pdf
    • https://cdn.shopify.com/s/files/1/0431/0191/3244/files/68577775659.pdf
    • https://cdn.shopify.com/s/files/1/0438/0311/5680/files/dilepedud.pdf
    • https://cdn.shopify.com/s/files/1/0431/0653/3527/files/rosijerixurojix.pdf
    • https://cdn.shopify.com/s/files/1/0433/9276/2006/files/46840905896.pdf
    • https://cdn.shopify.com/s/files/1/0431/7180/7391/files/50940349245.pdf
    • https://cdn.shopify.com/s/files/1/0431/0417/4233/files/fuxakofuxo.pdf
    • https://cdn.shopify.com/s/files/1/0434/6124/7138/files/67359385212.pdf
    • https://cdn.shopify.com/s/files/1/0430/7822/1973/files/kekuwusimulezepopuzojazud.pdf
    • https://cdn.shopify.com/s/files/1/0433/9453/1484/files/bomivudusavavaxo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001e81c.bin
4a0cc83eba83c3c60169dbcb2dbfb63514cb9c861ca2dd1ea8cf6105b22ddc01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E81C 4960 bytes
font_01_sfnt_off0001f8c1.bin
fdb1d52e080c3adbf2db90dec7797e6c256121514973058baee61266ccae7055		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F8C1 17276 bytes
font_02_sfnt_off00022d95.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22D95 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.