Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd5a885f02685fd3…

MALICIOUS

PDF

103.3 KB Created: 2020-09-09 22:54:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cec3253c44c18c964d64615402622b63 SHA-1: 4126fc02f8b100c5f13a47b3ecb60a78e7867307 SHA-256: cd5a885f02685fd3496f475fce1d9cca0233a5e31fb6cfc93048f38ecd2ef929
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector infrastructure, disguised as a document related to 'bourbaki algebra 1 pdf'. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' indicates the document's content is designed to trick users into believing they are receiving a prize or parcel, requiring them to pay a fee. The embedded URL is the primary mechanism for delivering the next stage of the attack.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=bourbaki+algebra+1+pdf
    • https://cdn.shopify.com/s/files/1/0435/3448/3605/files/davv_cet_2020_notification.pdf
    • https://cdn.shopify.com/s/files/1/0429/3358/4028/files/96348710763.pdf
    • https://cdn.shopify.com/s/files/1/0429/5308/0985/files/tiwekilozifomizir.pdf
    • https://static.usrfiles.com/ugd/6812d7_908776c5d3614e62846164dbb38d0e27.pdf
    • https://static.usrfiles.com/ugd/bb10c5_d720836f6da74217987ce900383f77b6.pdf
    • https://static.usrfiles.com/ugd/ef7b09_fbca6780928d49c38e1e0d51d9051ad0.pdf
    • https://static.usrfiles.com/ugd/a771bd_84ff3ca7c9094209a5de0363b972af83.pdf
    • https://static.usrfiles.com/ugd/a2c2bc_b20592921d404585bbb7446423d2c929.pdf
    • https://static.usrfiles.com/ugd/d90490_a61026e71a904c36a7b646f6e9bf9dbc.pdf
    • https://static.usrfiles.com/ugd/5c139a_4520707dd97042f78617718ee899ea65.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013a6a.bin
01a940e5295f9a863ba74f7898faf5a619cc675c3ba2d66d1f3d970c9496218c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A6A 5336 bytes
font_01_sfnt_off00014ca7.bin
5f1173e83223ecb70b1790e1733ed59bfc904fdd1895bc25dbd44354d09161d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14CA7 14536 bytes
font_02_sfnt_off00017a08.bin
08c2bab0887884b2fc0a4954056e9fa25a5c23e721d4c276f6c1a8dbfca96f4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17A08 16376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.