Malicious PDF — malware analysis report

Static analysis result for SHA-256 edf4b54dfda0859a…

MALICIOUS

PDF

50.5 KB Created: 2020-08-12 02:43:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 764ef3d0e7a777230789282da934182b SHA-1: eac468f6528e0456305483c8239c86a11dd4c810 SHA-256: edf4b54dfda0859ab3f8f18f28619db26d28556ace5ad8d646dc8b962dca31cf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous links, with a critical heuristic identifying a link to a known malicious redirector at traff.cc. The document body, though heavily obfuscated, contains the same URL. This suggests the primary purpose is to redirect the user to malicious content, likely for phishing or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=broaden+and+build+theory+pdf
    • http://files.andrewrstjames.com/uploads/1/3/1/4/131406811/kuletejivusaxun-roxubiwigujaso-zojizogegapo-gamiwozefonit.pdf
    • http://files.vitriol3d.com/uploads/1/3/0/9/130969265/tuseso.pdf
    • http://files.boardroomdevelopment.com/uploads/1/3/0/7/130776590/xudowapisinelidiruwi.pdf
    • http://files.angelageddes.com/uploads/1/3/1/1/131164152/koxarinin_rerawasivaxipa_terilowij.pdf
    • https://cdn.shopify.com/s/files/1/0448/7512/0807/files/canciones_para_guitarra_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0429/1421/8143/files/ruvujipetubavineforikik.pdf
    • https://cdn.shopify.com/s/files/1/0432/6257/4750/files/bozexiboxaka.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/75901524911.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gaxedisurerikemamezawapux.pdf
    • https://cdn.shopify.com/s/files/1/0428/5225/3863/files/welidomubuzed.pdf
    • https://cdn.shopify.com/s/files/1/0448/3937/0909/files/baeyer_villiger_reaction_mechanism.pdf
    • https://cdn.shopify.com/s/files/1/0430/6042/8962/files/rojogudanuwapodu.pdf
    • https://cdn.shopify.com/s/files/1/0429/2775/1321/files/regulation_of_cholesterol_synthesis.pdf
    • https://cdn.shopify.com/s/files/1/0432/6280/4136/files/differential_amplifier_transistor.pdf
    • https://cdn.shopify.com/s/files/1/0437/0658/1147/files/92388107369.pdf
    • https://cdn.shopify.com/s/files/1/0428/9649/0655/files/engineering_drawing_lessons.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000088c9.bin
5a510e31c9b0aa196053d21d278b23d70d16c0f40695cd303a68e260a4564490		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88C9 5240 bytes
font_01_sfnt_off00009a98.bin
aaa87de4d2f2df84eb0481d304537dc0447b6e2c2e3f0964854262ca0311ca6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A98 10116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.