Malicious PDF — malware analysis report

Static analysis result for SHA-256 3891fdbec47a9fdd…

MALICIOUS

PDF

178.3 KB Created: 2020-08-04 11:39:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6d8f555e45e0e72353b71971ea3d24a SHA-1: a23f82ce8ef3f0984b707a29f8e6824e03ac98c4 SHA-256: 3891fdbec47a9fdd55d7fc21990c33903aefd281a93025ccf3f5b65665f3c1a2
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded text and a URL that is flagged as a malicious redirector. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' indicates the document's content is designed to deceive users with promises of large sums of money or prizes, requiring them to take further action. The primary malicious IOC is the redirector URL, which likely leads to a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=autonomous+vehicles+technology+pdf
    • http://lijame.classofjesusministries.com/uploads/1/3/0/7/130740141/jegosafoni.pdf
    • http://files.jimsvintagemags.com/uploads/1/3/1/6/131636642/219047fa4f3e.pdf
    • http://files.dorothyfromkansas.com/uploads/1/3/0/7/130775382/duremi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tovetutokukike.pdf
    • https://cdn.shopify.com/s/files/1/0431/2553/8973/files/budelefa.pdf
    • https://cdn.shopify.com/s/files/1/0433/9000/9502/files/84526143491.pdf
    • https://cdn.shopify.com/s/files/1/0433/4606/7621/files/96353902788.pdf
    • https://cdn.shopify.com/s/files/1/0435/6423/6968/files/dawonusemirijadonajaten.pdf
    • https://cdn.shopify.com/s/files/1/0431/5670/1348/files/47761282564.pdf
    • https://cdn.shopify.com/s/files/1/0435/6918/4931/files/wutidekofodo.pdf
    • https://cdn.shopify.com/s/files/1/0436/7951/4777/files/takogagu.pdf
    • https://cdn.shopify.com/s/files/1/0437/5665/0650/files/javascript_remove_duplicates_from_array.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/25006313747.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/38659434623.pdf
    • https://cdn.shopify.com/s/files/1/0432/8564/3419/files/tanigejenotolib.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002824f.bin
a56185af42760a424a729d760659491ddc27412e66c4b41e429aecec3958abdb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2824F 5412 bytes
font_01_sfnt_off000294b1.bin
f3c473abf9464b82383186bf2c9ddd6957b6c1e58aad1a308c3c7ce4db186669		 pdf-font-stream PDF embedded font (sfnt) at offset 0x294B1 11224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.