PDF malware analysis — malicious · 8f4e175b4a6f6028

MALICIOUS

PDF

161.7 KB Created: 2020-08-29 06:04:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 263f55e1064733b243c09ce111067f6b SHA-1: 3fb449554cd90613499ba75a90d062e3e4e17521 SHA-256: 8f4e175b4a6f6028e97e083609340ff85590521c8220418581882e039f6b3ec6

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=new+hindi+movies+don+2'. This URL is embedded within the document body, disguised as a link to movie content. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' further indicates that the document's content is designed to trick users into paying fees for a promised prize or parcel, a common advance-fee fraud scheme. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=new+hindi+movies+don+2
- https://static.usrfiles.com/ugd/b8c837_34146b85622e46a5aed24239f8c9cece.pdf
- https://static.usrfiles.com/ugd/b8c837_6520f5d14ed244a8b758c44845067024.pdf
- https://static.usrfiles.com/ugd/b8c837_525f5dd310274f398134ed6ab187f92e.pdf
- https://static.usrfiles.com/ugd/b8c837_fd75f13c0f4448adbdfa0cc5f547db8a.pdf
- https://static.usrfiles.com/ugd/b8c837_b15b48bc05bb442585c42e9101cdf8a4.pdf
- https://static.usrfiles.com/ugd/b8c837_cea07075accc4661a987b733a964a772.pdf
- https://static.usrfiles.com/ugd/b8c837_79cab8e5a91d41239a55abe7be259bde.pdf
- https://static.usrfiles.com/ugd/b8c837_fa1fb0994d5642f8a7a4401336d38efe.pdf
- https://cdn.shopify.com/s/files/1/0436/6611/2662/files/fenutejud.pdf
- https://cdn.shopify.com/s/files/1/0427/9648/2727/files/git_deploy_script.pdf
- https://cdn.shopify.com/s/files/1/0428/9265/6799/files/36061232740.pdf
- https://cdn.shopify.com/s/files/1/0435/0997/3147/files/aroma_professional_rice_cooker_instructions.pdf
- https://static.usrfiles.com/ugd/b8c837_6eed2c5a91d44e8e9499a91278564030.pdf
- https://static.usrfiles.com/ugd/b8c837_e7925511cda94b2ca2e78fdb48f63a16.pdf
- https://static.usrfiles.com/ugd/b8c837_19e027171820425ba6024ce075f59de4.pdf
- https://static.usrfiles.com/ugd/b8c837_1a5f92b248f644aebb64990e07b4a0b4.pdf
- https://static.usrfiles.com/ugd/b8c837_c511eeff4e23487ba470335c65a80620.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00022142.bin` `6beb0f8c97a00d71cf33a7307989061fc68cfc5ee0dc7c13a89591af732959b8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x22142	4980 bytes
`font_01_sfnt_off00023226.bin` `bfed309cd2ee6d8d54427cec6abdecaac7c1eeb5e5ba4be81e78b772a1d0437b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x23226	15776 bytes
`font_02_sfnt_off00026384.bin` `ebd2804bff382343e08f6a42dc45f69f4e794c08b23908ae60ba78ededae74b1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x26384	16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.