Malicious PDF — malware analysis report

Static analysis result for SHA-256 f060af000458471c…

MALICIOUS

PDF

147.1 KB Created: 2020-09-17 15:39:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 532914a9b12f15a007352ba77bca26a3 SHA-1: 3c425d7f7727618124194ecf232bb068df1e2da5 SHA-256: f060af000458471c6815f588fbe2fe4ac4a498821bbcc3d1dfe9ec7f26cb6590
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=kuroko+no+basket+episode+guide'. The document body, though heavily obfuscated, contains the same URL, suggesting it's the primary lure. The heuristic 'SE_URGENCY_LURE' also indicates the document uses deceptive language to encourage user interaction. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=kuroko+no+basket+episode+guide
    • http://files.3rdlayertattoo.com/uploads/1/3/0/8/130815277/5030376.pdf
    • https://4f7c7518-1bf6-4661-9da4-404e970d70e6.filesusr.com/ugd/d5415a_acbf19cb477f4717a0843f54da0417d5.pdf?index=true
    • https://97d2cdaa-8660-4b43-b9bf-bf62108bb6a2.filesusr.com/ugd/e50c99_cf02df8057ea48ebb115262c9f50ca4e.pdf?index=true
    • https://eaee6b7d-e665-4688-9a7b-af6a3de5b2a8.filesusr.com/ugd/b48b60_0090a2314e5c44f4922cf3e36e94dd03.pdf?index=true
    • https://6afcf012-6dde-4e2b-92df-25cb3cf3c696.filesusr.com/ugd/c722c2_f4f995ed74bd43a08dd8b99a0480fdd0.pdf?index=true
    • https://4e0e2daf-6d33-4e9b-81f1-c85f687ec59f.filesusr.com/ugd/003b86_126aa72fb07b4145b29cb814eb63f243.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0435/0138/7936/files/moxagutobir.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/86477918810.pdf
    • https://cdn.shopify.com/s/files/1/0481/4068/1369/files/56785215380.pdf
    • https://cdn.shopify.com/s/files/1/0432/4684/6119/files/telugu_bible_books_free.pdf
    • https://cdn.shopify.com/s/files/1/0483/9093/0592/files/40109641731.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/damegadunuje.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017429.bin
2656c5c2fa865e89b134f244606975698a0109a656b28c9555bb243c29a5db5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17429 48468 bytes
font_01_sfnt_off00020840.bin
f6fcbaed77edafd78893c3c721d8aa1d299de7cfe5f1f5339bfc1ae0b37a0001		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20840 5268 bytes
font_02_sfnt_off00021a36.bin
ad635758f47a60cc959364a02ff396fcfc1c49ebb7a3c559bd5e75592772338c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21A36 10804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.