Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1b41e0b388ca2b8…

MALICIOUS

PDF

499.5 KB Created: 2020-09-02 16:16:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a5c4d6df1afd2f6f22cf354bd898c014 SHA-1: c02615480d3dd81ae896533f0154e4cd8b31adc9 SHA-256: f1b41e0b388ca2b83176b270ac33424ef8fe211b206d91755f43dbba1c686938
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The document also requests sensitive recovery information, indicating a phishing or credential harvesting attempt. The embedded URL is the primary indicator of compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=expressway+edge+deployment+guide
    • https://static.usrfiles.com/ugd/5ed537_fd113854f8d243a89edecb8359f95ad5.pdf
    • https://static.usrfiles.com/ugd/9cfd0a_f9a13217e9714e91a23ec2af1ba4b642.pdf
    • https://static.usrfiles.com/ugd/b42fd6_24f65b1e34094536aa54dd838a62fb3e.pdf
    • https://static.usrfiles.com/ugd/0f5b72_c4f776335a2b4a79b58fdfc5df373052.pdf
    • https://cdn.shopify.com/s/files/1/0450/0701/2004/files/minexonibozovad.pdf
    • https://static.usrfiles.com/ugd/3bf302_06de5c5d9c744ea9b87d2f65dd0d4f16.pdf
    • https://static.usrfiles.com/ugd/e02969_ae2af55e6ac5495b891f812349d53dea.pdf
    • https://cdn.shopify.com/s/files/1/0463/6842/4091/files/15399176484.pdf
    • https://cdn.shopify.com/s/files/1/0432/5713/5257/files/jobuwufifevipisofini.pdf
    • https://cdn.shopify.com/s/files/1/0433/5576/6942/files/patemawumibomodomolid.pdf
    • https://cdn.shopify.com/s/files/1/0430/4479/8613/files/godilusakopajemotifosono.pdf
    • https://cdn.shopify.com/s/files/1/0433/4052/9816/files/79562952453.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000761d4.bin
ab811f72c72ab0db0c0f5a1d17947c827743f2b850821283967914b5ef78cece		 pdf-font-stream PDF embedded font (sfnt) at offset 0x761D4 5496 bytes
font_01_sfnt_off0007749b.bin
c9836bce2da2a4c59ab9c47d7e96676a20689da333e4c52c181d5670dd48e322		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7749B 16208 bytes
font_02_sfnt_off0007a703.bin
da133098c8ec00180ce5fe37c74b807b143adc5860869a2f7b6211e455203b10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A703 16112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.