Malicious PDF — malware analysis report

Static analysis result for SHA-256 499c525038060670…

MALICIOUS

PDF

148.1 KB Created: 2020-09-18 17:23:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2d9efd3d4e3c7cdc8bccbaaf1b7e5cba SHA-1: 13fee7bbdf10a688caa39a9d0690c27b95e7a911 SHA-256: 499c525038060670aee0b1c179dc515c22b1f43690a2f53df6bf2a5d44c93f0c
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains heuristics indicating it is a malicious redirector link and uses an advance-fee scam lure. The document body, though heavily obfuscated, contains a URL that is flagged as malicious. This URL is likely intended to redirect the user to a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=the+testament+of+sherlock+holmes+walkthrough+no+commentary
    • https://440e669e-ac4a-49f6-839c-893a6d0412e5.filesusr.com/ugd/b81754_7ceb20141656497b8c0844bdd1711a3d.pdf?index=true
    • https://38d64f13-bfff-4d4c-9fb2-f416e47a1193.filesusr.com/ugd/9bd8c3_21e52d0f6ad54dcaace253172cd9b16f.pdf?index=true
    • https://a62d5c3b-6fcc-44af-aa30-aebca55f6444.filesusr.com/ugd/55f640_de1c2ad39bbd4fd983d834e55a2a8fa7.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0432/8046/6080/files/derafupejadomem.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/8861538602.pdf
    • https://cdn.shopify.com/s/files/1/0433/5216/2462/files/birdland_big_band_score.pdf
    • https://cdn.shopify.com/s/files/1/0437/2781/4810/files/countries_and_capitals_of_asia.pdf
    • https://cdn.shopify.com/s/files/1/0437/7739/2794/files/wivezojovezija.pdf
    • https://cdn.shopify.com/s/files/1/0434/2244/9820/files/tefupixexarawalukosa.pdf
    • https://a3cf5168-8660-402c-8882-46f3b776bc42.filesusr.com/ugd/cc14e4_a5309801692443e79ebc790ebab054d0.pdf?index=true
    • https://94db6952-46cc-48e0-a087-c3b47c26aded.filesusr.com/ugd/7836c9_f098f7735a6e40a4acc9b4b982f63f91.pdf?index=true
    • https://198a7459-8844-4d77-9899-a7f59ddb70d6.filesusr.com/ugd/cc089a_5252f85062a9441588b32ef30b77f6a3.pdf?index=true
    • https://779d38ce-2291-4fe8-9a0f-ebaa111058b5.filesusr.com/ugd/8b2c09_c1b8ff7f0842449d8d275983acf5f2a6.pdf?index=true
    • https://91df15bf-8aeb-40fb-b18d-c1a0ec84eba2.filesusr.com/ugd/a4c1fa_b0d881c296fb48319daef94560f10940.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00020b2e.bin
82aed57aac13ad30fa7aeedc893edba0849a1d745bd8f243e718b1d98ee3272c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20B2E 5504 bytes
font_01_sfnt_off00021dd5.bin
279d5b8f98bdcca03acdaece9945602964ef62b4672ec13485a0b47998e119e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21DD5 10604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.