Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6261e11b7743a57…

MALICIOUS

PDF

176.4 KB Created: 2020-08-04 15:57:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0411d8afa4f914d4fd62a0524c5df92 SHA-1: 3c04fecd18cdecf11c7101198ff6d4b399712795 SHA-256: c6261e11b7743a57e7db10f873ce40646751f2fbc9de58f42c4be9904249713b
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, which points to a URL that is part of a known malicious infrastructure. The document body, though heavily obfuscated, contains the text 'Edgar alan poe libros pdf' and the malicious URL, suggesting a lure to trick the user into clicking the link. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' further supports that the document is designed to deceive users with promises of value, likely leading to a scam.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=edgar+alan+poe+libros+pdf
    • http://files.englewoodfencing.org/uploads/1/3/2/6/132695325/44f0616d36c0.pdf
    • http://files.luciademarcoillustrazioni.com/uploads/1/3/1/4/131437983/245eaab86728a8.pdf
    • http://files.designinghealth.org/uploads/1/3/0/9/130969545/nenakizig-kilivin-vusuk.pdf
    • http://files.clantonplainsbc.org/uploads/1/3/0/7/130775229/podel_wofoxedufiwu_mebiv_fosevesopabodos.pdf
    • http://files.kcpanhel.com/uploads/1/3/2/8/132815961/1055807.pdf
    • https://cdn.shopify.com/s/files/1/0430/3768/7962/files/teknik_konseling_behavioristik.pdf
    • https://cdn.shopify.com/s/files/1/0433/2450/6266/files/58930150687.pdf
    • https://cdn.shopify.com/s/files/1/0431/2468/7014/files/mil-_std-_810g.pdf
    • https://cdn.shopify.com/s/files/1/0432/2086/1092/files/captains_key_classic_wow.pdf
    • https://cdn.shopify.com/s/files/1/0436/4114/3454/files/70008736641.pdf
    • https://cdn.shopify.com/s/files/1/0438/5013/7760/files/rubbermaid_big_max_shed.pdf
    • https://cdn.shopify.com/s/files/1/0434/0023/3112/files/11423605336.pdf
    • https://cdn.shopify.com/s/files/1/0429/5337/5897/files/89078549757.pdf
    • https://cdn.shopify.com/s/files/1/0430/6717/9162/files/68658356088.pdf
    • https://cdn.shopify.com/s/files/1/0432/9452/3552/files/falogo.pdf
    • https://cdn.shopify.com/s/files/1/0431/6856/3355/files/brassey_s_military_ballistics.pdf
    • https://cdn.shopify.com/s/files/1/0429/7896/7703/files/21070057402.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00027c12.bin
bf3437ae4d7ce2e3181a4b2183b2b25b0b01b8fb017146bf03f5c41749fc0c9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27C12 5304 bytes
font_01_sfnt_off00028e25.bin
df11b3775620a836ec28622bd7494dd88e26c641f10e57a3088052a3e421fc51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28E25 11016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.