Malicious PDF — malware analysis report

Static analysis result for SHA-256 b65cea81fd41b650…

MALICIOUS

PDF

97.8 KB Created: 2020-08-12 12:20:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c19b373281610bd3419f66e4e073328c SHA-1: 86814ea6b762dd0135a07ab548869efcbd3b730d SHA-256: b65cea81fd41b650dd4652dd6af6f02372a99faeb0862a14a55635b96f655c77
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple heuristics indicating malicious redirection and a lure for advance-fee scams, specifically mentioning invoices and parcel delivery. The embedded URL `https://ttraff.cc/pify?keyword=working+of+automated+teller+machine+pdf` is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this URL, reinforcing the malicious intent. The presence of numerous external PDF links, many hosted on Shopify, suggests an attempt to create a link farm for SEO manipulation or to distribute further malicious content.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=working+of+automated+teller+machine+pdf
    • http://nemov.lyrictheatreillinois.com/uploads/1/3/0/7/130775248/2955983.pdf
    • http://files.emmagardner.com/uploads/1/3/1/0/131069812/muwomenidodobov_gamasosepovowu_tufozaxigip_vujufimiwozi.pdf
    • http://ripunakez.musicbylily.com/uploads/1/3/1/4/131409090/4929433.pdf
    • http://files.georgisztojanov.com/uploads/1/3/2/6/132683017/dinokofomepofeg_wokipokitazisiw.pdf
    • http://files.hazelsnetogo.com/uploads/1/3/1/4/131407737/f931601a.pdf
    • https://cdn.shopify.com/s/files/1/0435/0767/9387/files/berudadizejejon.pdf
    • https://cdn.shopify.com/s/files/1/0434/4345/4102/files/35973017878.pdf
    • https://cdn.shopify.com/s/files/1/0441/4350/9656/files/database_systems_thomas_connolly_6th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0440/2331/6630/files/gojikojegorugozise.pdf
    • https://cdn.shopify.com/s/files/1/0437/9456/3221/files/dafud.pdf
    • https://cdn.shopify.com/s/files/1/0430/9201/7305/files/split_by_page_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/7369/1045/files/git_proxy_settings.pdf
    • https://cdn.shopify.com/s/files/1/0434/1563/4071/files/86811094332.pdf
    • https://cdn.shopify.com/s/files/1/0437/3407/3505/files/delogatepivezomogegawarur.pdf
    • https://cdn.shopify.com/s/files/1/0428/9291/8947/files/86553376467.pdf
    • https://cdn.shopify.com/s/files/1/0434/9542/4165/files/silamifupozep.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001428c.bin
eb5188d64a59e34fb79677a6a354ddcf52724bd20e2364ac8988effa43a3fd6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1428C 5468 bytes
font_01_sfnt_off00015508.bin
3f154b6b38f7064772e9078405fbeadb063e9a13bbe23b1e7db9db5d22448bc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15508 10804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.