Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c1b3f66c758c941…

MALICIOUS

PDF

67.1 KB Created: 2020-08-30 08:26:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9c03974647a6588d4bd52bb6064694ab SHA-1: 46bd0da20fa9c6eca08feffe682c310ce5533076 SHA-256: 1c1b3f66c758c94108e1f2d0bbdb53e7edbea757cc07596c578200d86a3df7e6
208 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains heuristics indicating it is a lure for an advance-fee scam and a payment redirection scam. It includes embedded links, one of which, 'https://ttraff.club/wix?keyword=sample+bank+statements+pdf', is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting the primary intent is to lead the user to this malicious site.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=sample+bank+statements+pdf
    • https://static.usrfiles.com/ugd/b8c837_7554a1c1d336409b989e723bb9805fba.pdf
    • https://static.usrfiles.com/ugd/5a1791_302b635ede7b413a94eeb37e9d3252d0.pdf
    • https://static.usrfiles.com/ugd/136d07_aa77a45b9bd9491bb603f9837be2eb76.pdf
    • https://static.usrfiles.com/ugd/b7306e_c09aee8b8117492fae86c80daaed896f.pdf
    • https://cdn.shopify.com/s/files/1/0434/9601/3990/files/wujizojumivetudubowitofo.pdf
    • https://cdn.shopify.com/s/files/1/0435/7714/7547/files/49954038051.pdf
    • https://cdn.shopify.com/s/files/1/0433/9928/2845/files/3d_logo_maker_online_free.pdf
    • https://cdn.shopify.com/s/files/1/0450/8496/7077/files/customer_journey_map_template_word.pdf
    • https://cdn.shopify.com/s/files/1/0437/7221/5448/files/whirlpool_dishwasher_manual.pdf
    • https://static.usrfiles.com/ugd/9904c2_1960c29bb0ce4dd58b2d8e7fb2c3e8f9.pdf
    • https://static.usrfiles.com/ugd/b8c837_69b72b5c419a41638619da79497bca0c.pdf
    • https://static.usrfiles.com/ugd/b8c837_605c73bb4fdf4a62acfc805c535965d3.pdf
    • https://static.usrfiles.com/ugd/daca0d_71c8b8a180e8425e8542cdaa6d135621.pdf
    • https://static.usrfiles.com/ugd/74c34a_0a53e73b14b545978f942928b85ba0a9.pdf
    • https://static.usrfiles.com/ugd/b8c837_63f9f500c42244b78287e1844a08accb.pdf
    • https://static.usrfiles.com/ugd/b56239_387f52d9b7074d188f73973dccb7d81d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ab2e.bin
85b692c1c636aed9ab1240d2a7361179fdd6c0849396a06064984f922e967b4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB2E 2828 bytes
font_01_sfnt_off0000b528.bin
75f34ccab6cf9433691b03e1c40bcbded823ac5cfcfd21d59ef2127c1a49df94		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB528 5028 bytes
font_02_sfnt_off0000c621.bin
6e36a48ce5cd3f61ba7c164243684f927dae4cb74c64eae9267ddd87bc78d8ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC621 13536 bytes
font_03_sfnt_off0000f06c.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF06C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.