Malicious PDF — malware analysis report

Static analysis result for SHA-256 4abce2da08b00792…

MALICIOUS

PDF

163.3 KB Created: 2020-07-09 19:23:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78a7b989c080288cd27d2ad3c6d0e9b6 SHA-1: faf9f5e041ef6cd7061c1275267a9836ae24d6ed SHA-256: 4abce2da08b007928b641206612f591c3bed449f21e19a088b18ec48574ca651
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains text related to 'coffeescript tutorial pdf' and the authoring application 'wkhtmltopdf', suggesting a lure to disguise the malicious link. The heuristic for 'SE_ADVANCE_FEE_SCAM_LURE' further supports the malicious intent by indicating the document's content is designed to deceive users into fraudulent activities.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=coffeescript%20tutorial%20pdf
    • http://files.poconooldtyme.com/uploads/1/3/2/8/132814473/cbfc312.pdf
    • http://files.magiqatlas.com/uploads/1/3/0/8/130814513/zivatemurijupizowigi.pdf
    • http://files.fustlerthefemalehustler.com/uploads/1/3/0/7/130739839/gaxiwoloxakutenuboj.pdf
    • http://files.willowfree.ca/uploads/1/3/0/7/130740344/xiwodufa.pdf
    • http://files.dorabramden.com/uploads/1/3/1/3/131382141/3729828.pdf
    • http://files.codeelectricmqt.com/uploads/1/3/1/4/131437948/7edf5f5834f64.pdf
    • http://files.artisansguildgallery.com/uploads/1/3/2/6/132696285/rorefulo.pdf
    • http://files.independentscreativegroup.com/uploads/1/3/1/1/131163945/61c59bc.pdf
    • https://tisamipaf.files.wordpress.com/2020/06/nepisobunipip.pdf
    • https://tijizukoveb.files.wordpress.com/2020/06/puzegalipuketowixinokope.pdf
    • https://tolotaf347469470.files.wordpress.com/2020/07/lepubade.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vasopamomakazemujavinis.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/70686619693.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zugazad.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00022505.bin
6b30850588a5bdd60c529c7700fff794f5a2074cc8d90a53260296abeca858f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22505 4948 bytes
font_01_sfnt_off000235ef.bin
cdcb4ada1bcd5b13feca14805ab46bce00d98a07ddf1cb52152ea120d6ec7972		 pdf-font-stream PDF embedded font (sfnt) at offset 0x235EF 16928 bytes
font_02_sfnt_off00026b14.bin
780c2ba1f46611f184a1210ab6c53f4ed6d1475a687e3cabd97e3deba530dc28		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26B14 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.