Malicious PDF — malware analysis report

Static analysis result for SHA-256 3fb51a38c99565c0…

MALICIOUS

PDF

182.4 KB Created: 2020-08-02 10:44:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0863e50a5aedc916eb88bd5e05bab35c SHA-1: a3093af188706585751feb2d27bdc5f86f102ba9 SHA-256: 3fb51a38c99565c094baa8c3c75fc27a66f0e17f3504b3f2ae3d03a7d45476ee
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic indicating it's an advance-fee scam lure, combined with a critical finding of a malicious redirector link. The embedded URL, https://ttraff.cc/pify?keyword=create+virtual+environment+python+3, is the primary indicator of malicious intent, likely leading to further compromise. The document body, though heavily obfuscated, contains references to 'create virtual environment python 3' which appears to be a pretext for the scam.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=create+virtual+environment+python+3
    • http://files.pillowellsilverband.com/uploads/1/3/2/6/132681985/6294044.pdf
    • http://files.marshalltownmainstreet.org/uploads/1/3/1/8/131858045/jadidavumakafu.pdf
    • http://files.aoptech.org/uploads/1/3/2/6/132682303/bijuwe_duseru.pdf
    • http://files.bradhederer.com/uploads/1/3/0/7/130739268/zopifosiguvavir.pdf
    • http://files.theacel.com/uploads/1/3/0/7/130740256/rumotejekad.pdf
    • https://cdn.shopify.com/s/files/1/0435/8547/0623/files/diy_portable_shooting_bench_plans.pdf
    • https://cdn.shopify.com/s/files/1/0438/5443/0368/files/83616003691.pdf
    • https://cdn.shopify.com/s/files/1/0434/5207/2089/files/gesun.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zisavugeti.pdf
    • https://cdn.shopify.com/s/files/1/0433/1569/1678/files/lowatisorezewexe.pdf
    • https://cdn.shopify.com/s/files/1/0431/3009/3728/files/gerigusatujuf.pdf
    • https://cdn.shopify.com/s/files/1/0436/0660/5987/files/94836197252.pdf
    • https://cdn.shopify.com/s/files/1/0435/2750/4024/files/kowewanexu.pdf
    • https://cdn.shopify.com/s/files/1/0431/6289/4498/files/30840728759.pdf
    • https://cdn.shopify.com/s/files/1/0432/0883/5229/files/zumdahl_chemistry_5th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0433/6631/8230/files/24889285525.pdf
    • https://cdn.shopify.com/s/files/1/0431/8189/9944/files/wifisoxarizotilarijosabis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00028a5f.bin
9281f115a7b6e036761227dd94ad1f58db62aa74714d45a9e455684efc69522d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28A5F 5112 bytes
font_01_sfnt_off00029ba9.bin
b72d01099b4663c665090c85be3c9f9e0d396698cfcfd0f077c7b5b9bd0ee5a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29BA9 15092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.