Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0f3a9499dfcf716…

MALICIOUS

PDF

465.3 KB Created: 2020-07-31 07:02:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 86cb9ab1fe94208d3595c66e594d849e SHA-1: 857594042318a8ee91881eba7ee7ff489eacccc5 SHA-256: f0f3a9499dfcf716c23f9ae8aeb679b95fc9702f26523fee6480947f54f8bdde
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link to ttraff.ru. The document body, though heavily obfuscated, contains text related to 'read bastard out of carolina pdf' and metadata indicating it was generated by wkhtmltopdf. The primary malicious indicator is the embedded URL, which is known to host malicious redirectors. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=read+bastard+out+of+carolina+pdf
    • http://files.orlistrone.com/uploads/1/3/1/3/131383743/gizegebixafev.pdf
    • http://files.lessons4learners.com/uploads/1/3/2/7/132740536/9970031.pdf
    • http://files.herbaceouslyurban.com/uploads/1/3/1/4/131406369/jajebetukikape.pdf
    • http://files.rgcconline.com/uploads/1/3/0/9/130969305/8283940.pdf
    • http://files.cupcakecafe.me/uploads/1/3/0/7/130738988/xumixetidibevoxelob.pdf
    • https://cdn.shopify.com/s/files/1/0431/4388/9058/files/nugitawugufigonug.pdf
    • https://cdn.shopify.com/s/files/1/0433/4590/3774/files/8210674613.pdf
    • https://cdn.shopify.com/s/files/1/0429/8643/8807/files/ligajasoxigosugo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/parisibudipaxetiwori.pdf
    • https://cdn.shopify.com/s/files/1/0432/4396/2532/files/jozeberosagodejiwoza.pdf
    • https://cdn.shopify.com/s/files/1/0435/2232/6696/files/lipepoler.pdf
    • https://cdn.shopify.com/s/files/1/0433/7883/5606/files/saramewom.pdf
    • https://cdn.shopify.com/s/files/1/0429/7241/4106/files/69721718950.pdf
    • https://cdn.shopify.com/s/files/1/0430/4447/0945/files/45877982254.pdf
    • https://cdn.shopify.com/s/files/1/0436/4258/5241/files/72803348515.pdf
    • https://cdn.shopify.com/s/files/1/0433/9014/0581/files/58307188986.pdf
    • https://cdn.shopify.com/s/files/1/0435/0607/3759/files/57895042577.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0006f901.bin
aa192011d0d7f084322a597ed2761b9479b79343b15438b86120e7aa2977e5bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F901 5180 bytes
font_01_sfnt_off00070aa7.bin
5e9ba63959b057075cc3c67850a643f44044b65ae93fe6c746b661e89c05b9c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70AA7 13312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.