Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6e2e2c28f0b98d7…

MALICIOUS

PDF

168.6 KB Created: 2020-08-11 21:24:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7fbf502a85e0926eed2ebe109081c08a SHA-1: 076416a6e7720a7a1f441486e323708e9eb303ba SHA-256: f6e2e2c28f0b98d76eb5da24b7ac983b998d9d923ac5b4c2a855458ddf8263ed
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link to ttraff.com. The embedded URL in the document body also points to this same malicious domain. This suggests the document's primary purpose is to lure the user to this site, likely for phishing or to download further malicious content. No scripts were extracted, limiting the analysis of the exact payload.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=gb+shaw+arms+and+the+man+pdf
    • http://files.zakariyakhunji.com/uploads/1/3/1/4/131437953/540842.pdf
    • http://files.garden-artworks.com/uploads/1/3/1/4/131453213/dovuladeveti.pdf
    • http://files.shobukanisska.com/uploads/1/3/1/6/131637125/be500c8550285e.pdf
    • https://cdn.shopify.com/s/files/1/0431/7141/4167/files/sexebonorimetulonazerezix.pdf
    • https://cdn.shopify.com/s/files/1/0438/7209/2315/files/3973722333.pdf
    • https://cdn.shopify.com/s/files/1/0434/7949/8918/files/nejapikiriru.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/59022585862.pdf
    • https://cdn.shopify.com/s/files/1/0439/0869/4171/files/belijenapegaf.pdf
    • https://cdn.shopify.com/s/files/1/0437/1926/2363/files/windows_environment_variables.pdf
    • https://cdn.shopify.com/s/files/1/0444/1584/4519/files/xovakawetoref.pdf
    • https://cdn.shopify.com/s/files/1/0432/5467/7662/files/78933390388.pdf
    • https://cdn.shopify.com/s/files/1/0432/3537/7307/files/runoluripipebirigavat.pdf
    • https://cdn.shopify.com/s/files/1/0436/2931/4206/files/textbook_of_physiology_by_a_k_jain_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/2879/0946/files/27403486431.pdf
    • https://cdn.shopify.com/s/files/1/0429/8702/8641/files/nofipaludulivawobuxu.pdf
    • https://cdn.shopify.com/s/files/1/0433/1218/5494/files/jixopixed.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00025a14.bin
6dc3efc8495e237e7bd3579a76845fff3941b71c7350cad99be7efa53d221b75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25A14 5512 bytes
font_01_sfnt_off00026cc1.bin
c17e644f99faec0fc0ed152ad1d93e7767c3d95310e424e99428ef493df9c4fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26CC1 11740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.