Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d10452c273b44ec…

MALICIOUS

PDF

505.3 KB Created: 2020-08-05 11:01:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82b3e372543acb99e3225a8fbb2db5db SHA-1: 66f97cc155380accdce7b152c7249fe444b12689 SHA-256: 3d10452c273b44ec5cda7d23cc0c30c31393cac437403626ec26f4ed4ad859d8
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text that, combined with the heuristic SE_ADVANCE_FEE_SCAM_LURE, suggests an advance-fee scam. The primary IOC is the malicious URL embedded within the document, which is likely used to redirect the user to a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=vampire+the+masquerade+camarilla+5th+edition+pdf
    • http://files.artistdscott.com/uploads/1/3/0/9/130969352/434159.pdf
    • http://mukudit.gschwindcabinet.com/uploads/1/3/1/3/131378780/5403535.pdf
    • http://fadur.solidrockmasons.com/uploads/1/3/1/0/131070146/xutatuf-vuzuforujuvu.pdf
    • https://cdn.shopify.com/s/files/1/0434/4971/2807/files/nixufakokonorusupimulojak.pdf
    • https://cdn.shopify.com/s/files/1/0427/7728/0671/files/among_the_betrayed.pdf
    • https://cdn.shopify.com/s/files/1/0435/7901/5331/files/gelekemufiraviverex.pdf
    • https://cdn.shopify.com/s/files/1/0436/4202/8182/files/51172278853.pdf
    • https://cdn.shopify.com/s/files/1/0446/6583/1577/files/computer_abbreviations_list.pdf
    • https://cdn.shopify.com/s/files/1/0431/5866/7415/files/songs_of_a_dead_dreamer.pdf
    • https://cdn.shopify.com/s/files/1/0430/5915/1009/files/burnout_3_takedown_soundtrack.pdf
    • https://cdn.shopify.com/s/files/1/0432/7079/9510/files/5821759827.pdf
    • https://cdn.shopify.com/s/files/1/0432/2692/3172/files/xuxebuzativoxesubijixal.pdf
    • https://cdn.shopify.com/s/files/1/0434/7055/3250/files/dufodugukoxatugazot.pdf
    • https://cdn.shopify.com/s/files/1/0429/7133/2767/files/futaduxinodafege.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00078da5.bin
0266b7dd2b9de91602fbaa154c28a9628ba1e063a953a9136ab24b68249d971b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78DA5 5612 bytes
font_01_sfnt_off0007a099.bin
e2a290d672fa4848200a85691781c4859791c1732648d02a03244bc1fb5c1404		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A099 16512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.