Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe8c3a8a83e4aaf6…

MALICIOUS

PDF

155.1 KB Created: 2020-08-01 16:59:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5031f782a0c95c70c045c38d05592d6f SHA-1: 8899bdfeaec592bbf74387c0c26abb27572357ad SHA-256: fe8c3a8a83e4aaf62d4b7add07922a028e295118c91fab53f69ba710f269a5bd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=oh+you%2527+re+approaching+me+copypasta'. The document body, though heavily obfuscated, appears to contain this URL, suggesting the primary intent is to trick the user into visiting this malicious site. No scripts were extracted, and the file type is PDF, indicating a social engineering lure.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=oh+you%2527+re+approaching+me+copypasta
    • http://files.savegoringgap.org.uk/uploads/1/3/1/3/131379099/947e48916d4f.pdf
    • http://files.mcjpgs.com/uploads/1/3/0/9/130969184/miwaranam.pdf
    • http://files.gerrardphotography.com/uploads/1/3/1/4/131453896/kadedamitare-puwuzix.pdf
    • https://cdn.shopify.com/s/files/1/0431/3117/5063/files/96434778692.pdf
    • https://cdn.shopify.com/s/files/1/0431/8904/3362/files/71983491134.pdf
    • https://cdn.shopify.com/s/files/1/0427/5575/2103/files/hd_avi_movies_2015.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/80170273674.pdf
    • https://cdn.shopify.com/s/files/1/0435/2137/6410/files/dededebevim.pdf
    • https://cdn.shopify.com/s/files/1/0430/9676/8673/files/5210582604.pdf
    • https://cdn.shopify.com/s/files/1/0436/2308/8290/files/latizirixagiloregozel.pdf
    • https://cdn.shopify.com/s/files/1/0433/3161/6918/files/vidugavopopojubadun.pdf
    • https://cdn.shopify.com/s/files/1/0429/2821/0073/files/nerapusimobezaro.pdf
    • https://cdn.shopify.com/s/files/1/0429/6222/3263/files/viwajedawesoji.pdf
    • https://cdn.shopify.com/s/files/1/0431/8652/0224/files/75510937967.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/niwaxesajikibulunetegidu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001feff.bin
35c135bf35f91fe861633eddc738c53a6cc63645fd63298a377b52bb01f5e016		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FEFF 11908 bytes
font_01_sfnt_off00022622.bin
d1e84c7506dd5acbb26c64e7b3ac0dafb790cc561062987c10eecd5504ef772c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22622 5480 bytes
font_02_sfnt_off000238a4.bin
1d122ef8551cd6af05f878e6ee435d1466861b539e439132363c851fa4a4f317		 pdf-font-stream PDF embedded font (sfnt) at offset 0x238A4 10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.