Malicious PDF — malware analysis report

Static analysis result for SHA-256 afbd3a59298c6af5…

MALICIOUS

PDF

213.7 KB Created: 2020-09-19 13:41:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de2cf11f62b16a6fdc8f539ae1c177cb SHA-1: 45410a43b8dbd56755c94524b248e4c97b83103b SHA-256: afbd3a59298c6af5d9d99f6e55c95080a83092020651a40b1c083aba1a9f70dc
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.cc/wix?keyword=ffxi+thf+guide+2017+spreadsheet'. Additionally, a heuristic for an advance-fee scam lure was triggered, indicating the document's content is designed to deceive users. The embedded URL is the primary indicator of compromise, likely leading to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=ffxi+thf+guide+2017+spreadsheet
    • https://cdn.shopify.com/s/files/1/0437/1474/0373/files/xegenesixibutoraxolabak.pdf
    • https://cdn.shopify.com/s/files/1/0431/9812/0094/files/application_for_child_care_leave_form.pdf
    • https://cdn.shopify.com/s/files/1/0429/2476/9436/files/92012091064.pdf
    • https://cdn.shopify.com/s/files/1/0429/5199/9637/files/12316815122.pdf
    • https://cdn.shopify.com/s/files/1/0434/3185/4247/files/68511448507.pdf
    • https://cdn.shopify.com/s/files/1/0431/4929/5776/files/comparing_and_ordering_decimals_5th_grade_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0432/9380/2646/files/judejiziwufemidamodawuvi.pdf
    • https://cdn.shopify.com/s/files/1/0432/9124/6747/files/59517995294.pdf
    • https://cdn.shopify.com/s/files/1/0431/1564/3031/files/xifozo.pdf
    • https://cdn.shopify.com/s/files/1/0434/2625/0917/files/vegopugowewenelol.pdf
    • https://19ac5c54-37b1-4fb4-a202-4c59a6071b61.filesusr.com/ugd/516793_8c0dbcf6b90a490b80db8fef11e0a864.pdf?index=true
    • https://bf43f843-b4fe-443b-af84-090952c27b4d.filesusr.com/ugd/805d2a_685e8372e0354441a057d25a7d52728d.pdf?index=true
    • https://8a892f84-fc96-4baa-8ca5-d835c1f8378c.filesusr.com/ugd/e3325f_2356872449f346b6bec17da9127c2174.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00030faa.bin
36add72e84f2d89b7568c7c8cdc1a4eb24f0cc6eea67bf69e755c207e897b34c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30FAA 5700 bytes
font_01_sfnt_off00032329.bin
952ff3074ea764325e4442da22fdfdadf5b2292ee2e3f89fedd1a555f5952ee7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32329 10864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.