Malicious PDF — malware analysis report

Static analysis result for SHA-256 29b05f126c9f241f…

MALICIOUS

PDF

678.9 KB Created: 2020-09-04 10:29:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c25f6ccafbf2c03fbedb96fe2c95ed92 SHA-1: 29ac13bb74a4cb22c82d9ec65531c9f131171775 SHA-256: 29b05f126c9f241fafc74976adfd03962aee9a9e67ad9da77a3a463e7f2fb325
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains heuristics indicating it is a malicious redirector link and uses an advance-fee scam lure, specifically mentioning 'Koninklijke Ahold Delhaize annual report'. The primary malicious IOC is the redirector URL, which likely leads to further malicious content or phishing pages. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=koninklijke+ahold+delhaize+annual+report
    • https://cdn.shopify.com/s/files/1/0434/8418/4728/files/dagorawituwifadolagejitub.pdf
    • https://cdn.shopify.com/s/files/1/0461/9131/3059/files/case_information_online_santa_clara.pdf
    • https://cdn.shopify.com/s/files/1/0431/9900/4827/files/nelly_futado_all_good_things.pdf
    • https://cdn.shopify.com/s/files/1/0432/6542/5570/files/27616688549.pdf
    • https://cdn.shopify.com/s/files/1/0432/6581/8782/files/65855248463.pdf
    • https://static.usrfiles.com/ugd/37321e_d55fd7010fd4477aa346311b99a94797.pdf
    • https://static.usrfiles.com/ugd/f103bb_9b1ec88c67a74a6bb5d42cb1a17b7c44.pdf
    • https://static.usrfiles.com/ugd/269bb8_4c70a3bb5efd425589a0abea782d9b95.pdf
    • https://static.usrfiles.com/ugd/808d8c_b85cd50d07fe46a680c2336b081c9de5.pdf
    • https://cdn.shopify.com/s/files/1/0469/0522/9474/files/illustrator_calligraphy_brushes.pdf
    • https://cdn.shopify.com/s/files/1/0432/2174/5823/files/jipekokejetidanat.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000a2c72.bin
6cd66ef1760dca38be4ae5ed070fb4e51f01f1cf757af98f6be15731680057e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2C72 5028 bytes
font_01_sfnt_off000a3d9a.bin
dce48338056172babc904b97959373d42a6ae6f019b1e35dcba2dd8c62286aad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3D9A 17256 bytes
font_02_sfnt_off000a7336.bin
cc4abd7d61a178f2172038ea444a26fd0d8fa2ad909be4c3dae0b17281216427		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7336 16220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.