Malicious PDF — malware analysis report

Static analysis result for SHA-256 e992c9f08180c7b2…

MALICIOUS

PDF

108.9 KB Created: 2020-09-05 12:48:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4e3bdb9a8c720b0331c01725b898817d SHA-1: a696827ad2a5281a3e641903372e8c3bd405a690 SHA-256: e992c9f08180c7b2ebf7417b85175effa2004b8a5893a0210e0b9964828322e5
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a specific malicious redirector URL, strongly indicating an advance-fee scam lure. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' confirms this, describing language related to prizes and parcel delivery. The embedded URL 'https://ttraff.cc/wix?keyword=cid+latest+all+episode' is the primary indicator of compromise, likely leading to further malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=cid+latest+all+episode
    • https://cdn.shopify.com/s/files/1/0437/7654/0834/files/47439711063.pdf
    • https://cdn.shopify.com/s/files/1/0435/4444/5092/files/cuales_son_los_valores_universales.pdf
    • https://cdn.shopify.com/s/files/1/0430/0403/5221/files/37137389043.pdf
    • https://cdn.shopify.com/s/files/1/0429/8866/7034/files/semumamefeg.pdf
    • https://static.usrfiles.com/ugd/5b604d_6941a3bd931a4410bd9a8aa4ab79fecb.pdf
    • https://static.usrfiles.com/ugd/9fc8c3_0938457319a04fce885993905130c236.pdf
    • https://static.usrfiles.com/ugd/18f527_96cbe0b71c234d2d8a721a42bd38705e.pdf
    • https://static.usrfiles.com/ugd/be19e1_4d0ef445dc9947b2bdd362c5cdd5ff04.pdf
    • https://static.usrfiles.com/ugd/6d59ab_e8083de2f8da4eee99e79b41496145ef.pdf
    • https://static.usrfiles.com/ugd/0047a4_364ca63997704ace927f63c722bc7992.pdf
    • https://static.usrfiles.com/ugd/fb41f9_9dffffaaf9214b46aec9d29241f03bd4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016462.bin
1e0a5906e2ba6cf7d9dbbaf796e2fe4c11e54c6d8efeca0b9d6e1eb97863f799		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16462 4764 bytes
font_01_sfnt_off0001749f.bin
b74c4ceb57ce83216f63e1dc33752e8500d9348ef51c0b0b8b0f02341a8a7c5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1749F 16048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.