Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4e24434b1ff4890…

MALICIOUS

PDF

310.1 KB Created: 2020-09-03 02:57:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 059682863ab112706b8b4dbc7e6c293f SHA-1: f11a53ac46bdea58882d5e5d7cf0aac0b7f55fcd SHA-256: f4e24434b1ff4890a1b359d7e77ae97113c61a2bc13270840b96ee4368851be0
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.me/pify?keyword=ms+access+2016+programming+pdf'. Additionally, a heuristic indicates a 'Clipboard command execution lure', suggesting the document instructs the user to copy and paste content into a shell. This combination strongly implies an attempt to trick the user into executing a command that would likely lead to the download and execution of a malicious payload from the provided URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=ms+access+2016+programming+pdf
    • https://static.usrfiles.com/ugd/b8c837_951e570927e8432a904e5e6ccbc294f8.pdf
    • https://static.usrfiles.com/ugd/b8c837_29124ebfb1394f6890e91d97662791a0.pdf
    • https://static.usrfiles.com/ugd/c33f71_fc18a9ae8c974b959cf64f210bf52887.pdf
    • https://static.usrfiles.com/ugd/ab922d_fd2bddb95fcb473ba9bcf353e39cb762.pdf
    • https://static.usrfiles.com/ugd/eaf48f_dd19fd6d06fb4e218cc26c3bfea038ec.pdf
    • https://cdn.shopify.com/s/files/1/0428/0041/4883/files/24667250447.pdf
    • https://cdn.shopify.com/s/files/1/0431/5014/7745/files/zotugifujitiwavaxu.pdf
    • https://cdn.shopify.com/s/files/1/0429/5468/6617/files/block_strike_mod_apk_6._4._2.pdf
    • https://cdn.shopify.com/s/files/1/0431/0928/6042/files/kuvukew.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/ginowojero.pdf
    • https://cdn.shopify.com/s/files/1/0440/6486/6469/files/70137561997.pdf
    • https://cdn.shopify.com/s/files/1/0431/7731/2407/files/17049296986.pdf
    • https://static.usrfiles.com/ugd/72216b_13cad7d72fb345599793594c3b8e7037.pdf
    • https://static.usrfiles.com/ugd/97493d_9621092cd709414594d30a124a67fbaf.pdf
    • https://static.usrfiles.com/ugd/120f26_3b2d5ce8385e416dab47e41ec2c53c76.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00048185.bin
ba79d8d607fc0fb2df8c68f4fc79e139485a06c43f455da61d9f5f4f2015e071		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48185 5928 bytes
font_01_sfnt_off000495a9.bin
aa4e22975cf7e02719bb8614775adeaeb84aee26f85a8738988f146967c34f94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x495A9 16728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.