Malicious PDF — malware analysis report

Static analysis result for SHA-256 215eae59f58a2ad6…

MALICIOUS

PDF

236.6 KB Created: 2020-08-07 03:08:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5d6e88362c522a9a720f7f13adc2b5f4 SHA-1: a3d1412c396e9421f53f8d0782b0d7895e1b9a19 SHA-256: 215eae59f58a2ad67ffff8551d02e0b09bcc77413bcfccb37b70bdc534ab401f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains heuristics indicating it is a malicious redirector link and uses an advance-fee scam lure. The embedded URL https://ttraff.cc/pify?keyword=anti+dumping+agreement+wto+pdf is confirmed as malicious. The document body, though heavily obfuscated, contains the malicious URL, suggesting the primary intent is to redirect the user to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=anti+dumping+agreement+wto+pdf
    • http://files.graylineconnect.com/uploads/1/3/2/6/132696174/jerupamutatavu.pdf
    • http://files.bellclub.org/uploads/1/3/2/7/132740865/9972882.pdf
    • http://files.mtpskitchengarden.com.au/uploads/1/3/0/7/130775429/nozov_donominesikam_xutiz.pdf
    • https://cdn.shopify.com/s/files/1/0433/8404/5719/files/vewuzufuk.pdf
    • https://cdn.shopify.com/s/files/1/0434/7956/4448/files/nakogasofazuvujot.pdf
    • https://cdn.shopify.com/s/files/1/0428/5412/1635/files/921557615.pdf
    • https://cdn.shopify.com/s/files/1/0433/0268/2789/files/nowolik.pdf
    • https://cdn.shopify.com/s/files/1/0430/2887/3367/files/suva_ergonomie_am_arbeitsplatz.pdf
    • https://cdn.shopify.com/s/files/1/0431/9212/3560/files/scert_kerala_textbooks.pdf
    • https://cdn.shopify.com/s/files/1/0435/3651/5221/files/calorimetry_pogil.pdf
    • https://cdn.shopify.com/s/files/1/0429/6117/4684/files/17563355786.pdf
    • https://cdn.shopify.com/s/files/1/0439/3077/9816/files/avogadro_s_law.pdf
    • https://cdn.shopify.com/s/files/1/0444/2734/6086/files/vasovagal_syncope_patient_information.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/66083684812.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00036757.bin
1222bea58cdd0496df5c888ecfe06425ad6542566499452bfe4a4dee8bc1bea1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36757 5232 bytes
font_01_sfnt_off00037923.bin
c7e87ce58a7c2643b50118d9f23c7d8252ca2c6347b337eadfba753537ac6762		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37923 13784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.