Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8f19277e8211ee5…

MALICIOUS

PDF

43.6 KB Created: 2020-10-05 02:15:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b23d0f37edfcb93c0e7c80dbd85b2c0 SHA-1: 464fb2868eaa9b56b22309c6f994b10e0100402f SHA-256: f8f19277e8211ee5e92e4a037da58393d99ec11955442d0c4f5a273269aacbb0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, which is a common tactic for delivering further malicious content. The document body, though heavily obfuscated, contains the same URL, suggesting it is the primary lure. No scripts were extracted, and the file type is PDF, indicating a likely phishing or redirection attempt.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=captains+of+industry+or+robber+barons+dbq+answers
    • https://site-1040800.mozfiles.com/files/1040800/79586809271.pdf
    • https://site-1036779.mozfiles.com/files/1036779/14481262490.pdf
    • http://biredurub.frankicolett.com/uploads/1/3/1/3/131398232/423bc8.pdf
    • http://files.seabrookband.org/uploads/1/3/1/4/131454316/duxareredikubejona.pdf
    • http://dadixapep.statesocietyofflorida.org/uploads/1/3/0/8/130874376/6270254.pdf
    • http://files.ebcentre.co.nz/uploads/1/3/0/7/130738801/rugunifiwetatizalusi.pdf
    • http://files.usedofficechairs.net/uploads/1/3/1/0/131071063/tisogu.pdf
    • https://uploads.strikinglycdn.com/files/d1d7ac41-18c9-4131-959a-fd74f29eff42/41811717822.pdf
    • https://uploads.strikinglycdn.com/files/af9f2025-fa14-4303-aa5d-47c49cd2f57a/zubomojofe.pdf
    • https://uploads.strikinglycdn.com/files/31398fa6-8e95-4df6-96de-696c24d959d9/sanagesoliw.pdf
    • https://uploads.strikinglycdn.com/files/5d508cc7-b0f9-42e5-b476-7f28a77bc6ea/15977356992.pdf
    • https://cdn.shopify.com/s/files/1/0433/6877/5841/files/synonyms_for_most_specifically.pdf
    • https://cdn.shopify.com/s/files/1/0437/7480/4126/files/1866380634.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d15.bin
5cf412acf4cd8b140d2c320136f6cd56fafd10463d3be3dc3bd63af9670a6b5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D15 5368 bytes
font_01_sfnt_off00006f6d.bin
d0d904ff00fd9e314156d061d3ec402a7c0717b71b9670a1122ae99f7eacd44e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F6D 10352 bytes
font_02_sfnt_off000092c2.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92C2 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.