Malicious PDF — malware analysis report

Static analysis result for SHA-256 93bb6a22188b5637…

MALICIOUS

PDF

507.8 KB Created: 2020-09-05 15:59:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: db8bf9b4675417dcf02da114dbe71d0a SHA-1: c8e45a34c150f9002076986b867874e05d72db01 SHA-256: 93bb6a22188b563792d325fd0baeb0def4aa140b835ad4fb63e48152c1ea2ec3
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded text and a URL that strongly suggests a phishing or redirection attempt. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK firing indicates the primary URL leads to malicious infrastructure. The SE_INVOICE_LURE heuristic further supports the social engineering aspect, implying the document's content is designed to trick the user into clicking the link, likely for credential harvesting or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=coimbatore+building+bye+laws+pdf
    • https://static.usrfiles.com/ugd/409ca8_896dd05a3e4f49c9861bfd024184a42f.pdf
    • https://static.usrfiles.com/ugd/cc15ef_03bc3d2aa1ba420cb107d2cac2cb3d45.pdf
    • https://static.usrfiles.com/ugd/2ac701_394c0cbbeb8842eebe7d37816d91ac1c.pdf
    • https://static.usrfiles.com/ugd/ddb60a_cdeafa1a619b4a678a8d5a59e4abcd26.pdf
    • https://static.usrfiles.com/ugd/fef373_cd78b596303b42179cae3d10374410a3.pdf
    • https://static.usrfiles.com/ugd/469aea_68f77c1be93f4144be42672fe617822a.pdf
    • https://static.usrfiles.com/ugd/3be3a7_2c5ae9dc05814a6c9f8bed685a21ebea.pdf
    • https://cdn.shopify.com/s/files/1/0428/5169/6796/files/adanga_maru_movie_songs_isaimini.pdf
    • https://cdn.shopify.com/s/files/1/0435/9494/0575/files/online_billing_system_project_php_free.pdf
    • https://cdn.shopify.com/s/files/1/0434/3093/6732/files/cha_cha_music.pdf
    • https://cdn.shopify.com/s/files/1/0433/7428/0855/files/14028509020.pdf
    • https://cdn.shopify.com/s/files/1/0431/3264/9636/files/tajeligigiselemej.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0007a46f.bin
1abeb9a49a22642eff54040f4bfc8b9c798508bec5048fd5f84c9049e81315f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A46F 5600 bytes
font_01_sfnt_off0007b777.bin
d421c2caf88811043f8d26e60bdb4205e206815c084d0c3ba903c9c44166c446		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B777 11420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.