Malicious PDF — malware analysis report

Static analysis result for SHA-256 36812009a5e4d588…

MALICIOUS

PDF

331.4 KB Created: 2020-09-07 18:58:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bab7d64ebf01c04c16f8ca809f85affd SHA-1: 3980a1020344ba849a507dfa545ffedb6801a692 SHA-256: 36812009a5e4d5887a86fde359a399fa194846e52db9b409502b3022344f3491
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=johnson+and+johnson+annual+report+2018+pdf'. Additionally, a high-severity heuristic indicates an advance-fee scam lure, suggesting the document's content is designed to trick the user into believing they are accessing a legitimate report to facilitate fraud. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=johnson+and+johnson+annual+report+2018+pdf
    • https://static.usrfiles.com/ugd/12f4eb_76f4b48da36d4c8a912c314046643969.pdf
    • https://static.usrfiles.com/ugd/d7ba0f_1cab632f240c451592df079f1a8f1bcd.pdf
    • https://static.usrfiles.com/ugd/fedf23_9c611ea081a14d6f8e962603b264ed0c.pdf
    • https://cdn.shopify.com/s/files/1/0430/1520/9123/files/gadaji.pdf
    • https://cdn.shopify.com/s/files/1/0436/0480/3746/files/tewomavipagino.pdf
    • https://cdn.shopify.com/s/files/1/0428/2197/6220/files/kenshi_slavery_mod.pdf
    • https://cdn.shopify.com/s/files/1/0440/9848/6424/files/tojid.pdf
    • https://cdn.shopify.com/s/files/1/0429/7529/7689/files/sinimuxup.pdf
    • https://static.usrfiles.com/ugd/3ce946_015f8129f8a94d619527bbe505aabd63.pdf
    • https://static.usrfiles.com/ugd/529dbf_4daee3ae2c5b4af0bbaa96b3b090159d.pdf
    • https://static.usrfiles.com/ugd/2c8d66_a4b1d9777d8a4fd393925f5e909ef65a.pdf
    • https://static.usrfiles.com/ugd/b8c837_45d168df0d544de6a846328f3b998d86.pdf
    • https://static.usrfiles.com/ugd/4c3ae3_28de737cd2fa4f169c69349dec3c1a72.pdf
    • https://static.usrfiles.com/ugd/516574_49d6d96c9fb04a948e3ddd61e7480477.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004d882.bin
db2e7dd0552a957f204bc6927697ec3e588e6dfb5173d44c7a6792cd7d722904		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D882 5712 bytes
font_01_sfnt_off0004ebf5.bin
d3c3a51ebb8a6e2ef4748deebc3f340fd71c5cfe2a02744902aa4307e71fbf3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4EBF5 16980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.