Malicious PDF — malware analysis report

Static analysis result for SHA-256 f19d16860e6ba3e8…

MALICIOUS

PDF

173.3 KB Created: 2020-08-13 17:00:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 77789c2d94d7d2cfb93f5a1edb9246f7 SHA-1: 1b60ac33dbb967a4b29c25f679db7e59efe610c7 SHA-256: f19d16860e6ba3e80496b484f1858ea354f138de9fab56db1cb0d481a07c3a27
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL 'https://ttraff.ru/wb?keyword=incucyte%20s3%20manual' is flagged as malicious. This suggests the document's primary purpose is to lure the user to this external site, likely for phishing or to download further malicious content. No scripts were extracted, and the document body was heavily obfuscated.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=incucyte%20s3%20manual
    • http://kewujo.nepcsa.org/uploads/1/3/1/8/131857631/zedokivavexeledu.pdf
    • http://pekukemam.yangoninternationalchurch.org/uploads/1/3/1/4/131453540/2423863.pdf
    • http://nameg.solaris7roadshow.com/uploads/1/3/0/7/130776891/a6ee3ad6b95736.pdf
    • http://files.relationalintegration.org/uploads/1/3/1/8/131871642/7042929.pdf
    • https://cdn.shopify.com/s/files/1/0429/1228/4831/files/acoustic_response_series_707.pdf
    • https://cdn.shopify.com/s/files/1/0439/3179/5624/files/rozexiki.pdf
    • https://cdn.shopify.com/s/files/1/0433/6749/7880/files/lemodexuzewavemufuw.pdf
    • https://cdn.shopify.com/s/files/1/0434/9083/6645/files/jujesokove.pdf
    • https://cdn.shopify.com/s/files/1/0432/3727/7855/files/mapegamagofiromox.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/56325204281.pdf
    • https://cdn.shopify.com/s/files/1/0432/7338/8190/files/nasekobozonoxijop.pdf
    • https://cdn.shopify.com/s/files/1/0434/7576/3353/files/reverse_string_in_java.pdf
    • https://cdn.shopify.com/s/files/1/0432/0185/5646/files/11143016865.pdf
    • https://cdn.shopify.com/s/files/1/0435/9792/2461/files/juvowemu.pdf
    • https://cdn.shopify.com/s/files/1/0433/3230/5054/files/waxelotapu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/38461358607.pdf
    • https://cdn.shopify.com/s/files/1/0431/2537/5125/files/30739847392.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00025cc2.bin
57a055284ad9d3a0abc49572a972eba6230abd97edb0d45430c813d9a43aa517		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25CC2 4776 bytes
font_01_sfnt_off00026ce0.bin
b15f3b05837f07e3252e1e16c07751c5f3ee76851f74b48244e4b89c5a20eaa3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26CE0 13528 bytes
font_02_sfnt_off000297f8.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x297F8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.