Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba7a063e3970f84a…

MALICIOUS

PDF

43.1 KB Created: 2020-08-15 16:41:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b7e6b423659468bb2be33a4a19109c7 SHA-1: 8f72e2338e59b487e72d2a7d0237560fab0c87ed SHA-256: ba7a063e3970f84a14c317e7d7e7269bd6f763768fc756392c25a07c54fb1999
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=ifrs+16+leases+illustrative+examples+pdf'. Additionally, a 'SE_ADVANCE_FEE_SCAM_LURE' heuristic indicates the document's content is designed to deceive users with promises of lottery winnings, parcels, or funds. The document body, though heavily obfuscated, contains the same lure text and the malicious URL. The presence of numerous external PDF links, many hosted on Shopify, suggests a link farm designed to obscure the ultimate destination.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=ifrs+16+leases+illustrative+examples+pdf
    • http://files.alexandrabischoff.com/uploads/1/3/1/3/131383760/537995.pdf
    • https://cdn.shopify.com/s/files/1/0429/2804/6233/files/adriano_panzironi_libro.pdf
    • https://cdn.shopify.com/s/files/1/0437/8905/8209/files/50717983331.pdf
    • https://cdn.shopify.com/s/files/1/0431/9910/3136/files/odia_grammar_for_aso_exam.pdf
    • https://cdn.shopify.com/s/files/1/0431/4578/9600/files/39420930798.pdf
    • https://cdn.shopify.com/s/files/1/0452/6755/0370/files/ancient_history_rs_sharma_book.pdf
    • https://cdn.shopify.com/s/files/1/0432/7650/1147/files/25970989738.pdf
    • https://cdn.shopify.com/s/files/1/0433/3443/4974/files/tisowiga.pdf
    • https://cdn.shopify.com/s/files/1/0430/3123/2674/files/pdf_viewer_for_canadian_visa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ad5.bin
fdb201d45cfb9509e8ea651f06bde42173edf3ac56b43311a0206c57e66a1163		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AD5 5460 bytes
font_01_sfnt_off00007d5a.bin
33b5306cbe95a177d53bf5ad2b67c993b99dd22745f100d423bb4759f87b2dbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D5A 10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.