PDF malware analysis — malicious · fade226c282faa0c

MALICIOUS

PDF

168.1 KB Created: 2020-07-26 21:24:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 60faf37fade6f29ff6db43a8e5c0bc3b SHA-1: 897476fba9340cfe659355d638ac84660db6fa83 SHA-256: fade226c282faa0c05d69b3ce2d199c764c202a56d242c0432cdf0988bec97c0

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=apache+commons+stringutils'. This indicates the document is designed to lure users to a potentially harmful website. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine the exact nature of the lure beyond the malicious redirect.

Heuristics 2

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=apache+commons+stringutils
- http://files.clickingcanvases.com/uploads/1/3/0/7/130775828/xarumoperotamilozap.pdf
- http://files.cmforrester.com/uploads/1/3/2/6/132682976/6044513.pdf
- http://files.jameshynes.com/uploads/1/3/1/4/131454190/rifuwap_xebadelorem_vujujizaged.pdf
- http://files.askjj.org/uploads/1/3/1/4/131453355/c4446b32e9281f.pdf
- http://files.heightshightigers1988.com/uploads/1/3/1/4/131437333/fepimevekewan.pdf
- https://cdn.shopify.com/s/files/1/0429/4865/7318/files/fajufibevetijegoxozi.pdf
- https://cdn.shopify.com/s/files/1/0435/7426/3963/files/lulimuvusamapafita.pdf
- https://cdn.shopify.com/s/files/1/0434/4017/7317/files/46740314715.pdf
- https://cdn.shopify.com/s/files/1/0434/7586/1656/files/rotobuxeromimiwa.pdf
- https://cdn.shopify.com/s/files/1/0429/7831/2355/files/44488800982.pdf
- https://cdn.shopify.com/s/files/1/0434/5656/1318/files/80917960644.pdf
- https://cdn.shopify.com/s/files/1/0431/8212/9320/files/32664844569.pdf
- https://cdn.shopify.com/s/files/1/0431/1583/9645/files/38020507904.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/87277754858.pdf
- https://cdn.shopify.com/s/files/1/0433/2378/5370/files/15397491878.pdf
- https://cdn.shopify.com/s/files/1/0427/4513/5260/files/93892521761.pdf
- https://cdn.shopify.com/s/files/1/0433/8001/5262/files/juwagipuloxabewidefovuxi.pdf
- https://cdn.shopify.com/s/files/1/0435/1829/6216/files/tifigeputisovalilakopad.pdf
- https://cdn.shopify.com/s/files/1/0427/9474/6023/files/82179184300.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0002336f.bin` `e24231b5c1b0605ed925b08b4438bd7940e59c8a228c02411322f7eb302c5088`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2336F	5220 bytes
`font_01_sfnt_off000244f8.bin` `ab9ba0c79a9cbd9fa2975fd59e0a146fb6d2dccbe2a0e4210e43de9e47cd9561`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x244F8	2736 bytes
`font_02_sfnt_off00025019.bin` `c78e374134dc29a8deafd0a5c1c96d2b5d45c79520cb82fa03bf84a142a46701`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x25019	17532 bytes
`font_03_sfnt_off00028644.bin` `382445cfc7ffd8723aa1f81c4e67e2835e84047cb8baa5c82828e1c6995fac1a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x28644	2668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.