Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2b63b0c0e514135…

MALICIOUS

PDF

47.8 KB Created: 2020-09-07 07:39:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0206bea61b1ec8f314d304d2853343dd SHA-1: 7d1320175559754f358fe5342b664ac9d65cb371 SHA-256: c2b63b0c0e51413520a5a37e966ffda7bcf1c3974ec547d3caebbbc088bbff24
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a lure related to an invoice or payment, combined with a visible instruction to click a link. The embedded URL `https://ttraff.cc/wix?keyword=what+is+the+full+form+of+cmdrf` is flagged as a malicious redirector. The document body, though partially garbled, contains the text 'What is the full form of cmdrf' and the malicious URL, suggesting a social engineering tactic to trick the user into visiting a harmful site.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=what+is+the+full+form+of+cmdrf
    • https://cdn.shopify.com/s/files/1/0461/7938/5498/files/kapokifevenudu.pdf
    • https://cdn.shopify.com/s/files/1/0464/2819/2920/files/fish_coloring_sheet_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/4680/5404/files/percent_abundance_of_isotopes_worksheet.pdf
    • https://static.usrfiles.com/ugd/0a51c1_a44de5affae541449b21b648640d3b36.pdf
    • https://static.usrfiles.com/ugd/b28561_660e1e57bbe645138d5b3cd008c0b6fc.pdf
    • https://static.usrfiles.com/ugd/dd6616_8debe27bd50a461d9ba75870a68bb426.pdf
    • https://static.usrfiles.com/ugd/24853a_82d2d7eb565445eaa46bd535f389f8d4.pdf
    • https://static.usrfiles.com/ugd/cb2bed_e24ff8ad35b0454eb274990e7e43370e.pdf
    • https://static.usrfiles.com/ugd/b8c837_79eba934a7234347be9d08136de9d753.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065b8.bin
97a39533bb3ace75c220b42de0684407081973b3857479daf6a82392e0f9f4e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65B8 5272 bytes
font_01_sfnt_off00007780.bin
a8ba320a0ac8a73a5a8cc2c47ba30bd151ec5f51af4d5ac0b9daf85eaa8f1301		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7780 1936 bytes
font_02_sfnt_off000080c5.bin
7ac85c42ec85fd5a6145c05efb0ef10d1218fc9cac4a030b8a4405a90f9b03c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80C5 15456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.