Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ad535178b117657…

MALICIOUS

PDF

42.2 KB Created: 2020-09-07 09:26:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 441fe4b640bc0cccb62e5902f1a95b0b SHA-1: 05ea12e0d806c818640d9a2e5bd1238f253e2621 SHA-256: 2ad535178b117657ded8126540352be8b65d84c6849f5512c9b166a926756ba5
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1059.003 Windows Command Shell

The PDF contains a malicious redirector link that, when clicked, leads to a URL suggesting a download for 'mac utility software'. Additionally, the document instructs the user to copy and paste content into a command-line context, indicating a social engineering attempt to execute commands. No scripts were extracted, but the heuristics and embedded URL strongly suggest a phishing or malware delivery attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=mac+utility+software%2528+mac+utility.+zip%2529
    • https://static.usrfiles.com/ugd/d017d5_7443d02b9ddd4925bf06c297ce222513.pdf
    • https://static.usrfiles.com/ugd/0ebc1f_bfc7c976452c420e96c8fe4298d19597.pdf
    • https://static.usrfiles.com/ugd/b8c837_6d364c43a68e4f07b13599ffe54ea286.pdf
    • https://static.usrfiles.com/ugd/72ed28_fc03a880e6094f2593a285749338b40b.pdf
    • https://cdn.shopify.com/s/files/1/0429/3401/0015/files/colombo_city_map.pdf
    • https://cdn.shopify.com/s/files/1/0429/7592/0282/files/beginners_guide_to_tarot.pdf
    • https://cdn.shopify.com/s/files/1/0465/1561/7950/files/c3_vs_c4_vs_cam.pdf
    • https://cdn.shopify.com/s/files/1/0449/4727/5931/files/sowalisitomipemoge.pdf
    • https://cdn.shopify.com/s/files/1/0432/9163/9974/files/28614121194.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000513c.bin
766bb3c1bfba429b2a84d0ca653de62a7a491b0c69468d186c62e2fd08a12d55		 pdf-font-stream PDF embedded font (sfnt) at offset 0x513C 5596 bytes
font_01_sfnt_off00006470.bin
f27c6741eb8760b207011be5555e0581078934900cc250b24541c36f377a329c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6470 14304 bytes
font_02_sfnt_off0000916b.bin
cb8566641041206716aeae4f5cf7da806ca8e31f4e53d185b171a684c1881663		 pdf-font-stream PDF embedded font (sfnt) at offset 0x916B 2664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.