Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed3c7e97313d5084…

MALICIOUS

PDF

255.6 KB Created: 2020-08-20 13:59:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0c24ce1179c1b8a4d90b3e1c4d2e4ab7 SHA-1: a6b5eef6d6d6b2303c26132e89e2b124ef7cf5bb SHA-256: ed3c7e97313d50842c92837e2422f3a0073efc0af63ce7fd93e4b0ef9c8ad7c5
140 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 Malicious Link T1059.003 Windows Command Shell T1566.002 Spearphishing Attachment

The PDF contains a malicious redirector link to 'ttraff.com', which is flagged as malicious. The document body and heuristics indicate a lure for an advance-fee scam, potentially involving a fake upgrade guide. The document also instructs the user to interact with clipboard content in a shell context, suggesting an attempt to trick the user into executing commands.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=mac+pro+2009+upgrade+guide
    • http://files.stlouistennriverpacketco.com/uploads/1/3/1/4/131437657/senoti.pdf
    • http://files.shamrockhavenpublishing.com/uploads/1/3/2/7/132740498/pefepujekezaxaxixu.pdf
    • http://debis.unlockyourheart.com/uploads/1/3/2/6/132682327/115395.pdf
    • http://files.sarahfeinertherapies.com/uploads/1/3/1/6/131607930/xezokapapib.pdf
    • https://cdn.shopify.com/s/files/1/0436/2482/4995/files/2595593414.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rowogumidakedodovejizana.pdf
    • https://cdn.shopify.com/s/files/1/0433/2571/8678/files/45850028978.pdf
    • https://cdn.shopify.com/s/files/1/0432/0142/9662/files/bagpipe_sheet_music_for_itchy_fingers.pdf
    • https://cdn.shopify.com/s/files/1/0436/9691/4600/files/34891252835.pdf
    • https://cdn.shopify.com/s/files/1/0436/9884/7896/files/application_for_australian_passport_b11_form.pdf
    • https://cdn.shopify.com/s/files/1/0435/4880/3227/files/weputulorolalexupabuluw.pdf
    • https://cdn.shopify.com/s/files/1/0438/6878/2757/files/20319650274.pdf
    • https://cdn.shopify.com/s/files/1/0433/8896/0933/files/powers_and_exponents_worksheet_6th_grade.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00036e22.bin
a4af041a1f0d4c38f6ad1bf96ad04d86226b7158e00c36bfafa620d2932d04d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36E22 6568 bytes
font_01_sfnt_off00037e70.bin
5788a15bcb7c875ce92d55a97f49c3a67106439e334bb3332b1561ff20fa3527		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37E70 5164 bytes
font_02_sfnt_off00038ffa.bin
a2a592d7f3c19d5c7a9cd22bee3c2949d58e30f85cf180640836e2db01ff1c49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38FFA 1700 bytes
font_03_sfnt_off0003987b.bin
f0110a5e1199465dd3791f248f95c0866d67cb825e9d89381eec0c476e0b8daf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3987B 16084 bytes
font_04_sfnt_off0003cb32.bin
51babe3b44e703ca5a92278b053c112c5c116674d3b708c8e2cb3e4aa6bd9a04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CB32 16148 bytes
font_05_sfnt_off0003e03f.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E03F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.