Malicious PDF — malware analysis report

Static analysis result for SHA-256 498fdd36fdd33ea4…

MALICIOUS

PDF

86.0 KB Created: 2020-08-29 22:42:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b5ce1d047c956391a320cc871ac5be15 SHA-1: 7345e72888734e6321439b7263a55594eb333258 SHA-256: 498fdd36fdd33ea4f011bd36acfc827b5f91dee57af76db6d5815e09371d374e
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link disguised as a movie title, which redirects to a known malicious domain. This is indicative of a phishing or scam attempt, likely to defraud the user or deliver a secondary payload. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' further supports this, suggesting a lottery or parcel scam. No scripts were extracted, limiting the analysis of direct execution behavior.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=spongebob+movie+2004+full+movie
    • https://cdn.shopify.com/s/files/1/0431/8789/6488/files/wijulutil.pdf
    • https://cdn.shopify.com/s/files/1/0436/8783/7849/files/78226630817.pdf
    • https://cdn.shopify.com/s/files/1/0434/1301/2630/files/hssc_declaration_form_annexure_e1.pdf
    • https://cdn.shopify.com/s/files/1/0437/6294/2106/files/nejufixedodob.pdf
    • https://cdn.shopify.com/s/files/1/0437/3463/0554/files/vigiximigosajefesoja.pdf
    • https://cdn.shopify.com/s/files/1/0431/3019/2039/files/nuwemagozewokexilixoviro.pdf
    • https://cdn.shopify.com/s/files/1/0432/8236/6629/files/couchdb_cluster_performance.pdf
    • https://cdn.shopify.com/s/files/1/0430/2949/5959/files/jefugogoxa.pdf
    • https://cdn.shopify.com/s/files/1/0435/8524/1256/files/chapter_3_quantitative_research.pdf
    • https://cdn.shopify.com/s/files/1/0431/8475/0747/files/permutations_and_combinations_worksheet_doc.pdf
    • https://cdn.shopify.com/s/files/1/0437/2063/8632/files/nba_basketball_rules_and_regulations.pdf
    • https://cdn.shopify.com/s/files/1/0434/6108/3301/files/anonytun_achi_pro_apk_terbaru_2018.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001121a.bin
789dd1c2c9bfc00f981bcdf97cbe43eace7be7e746fdd7fd165bcbb756ed0c8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1121A 5404 bytes
font_01_sfnt_off00012482.bin
0fabe93aea7eedfb9834512b4ee5e3293ebff699768f4246435e2fb227b07178		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12482 11220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.