Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2160cd41df38cd3…

MALICIOUS

PDF

288.4 KB Created: 2020-07-10 07:06:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be3100f8842a4cf7ad1fff7b63edeca9 SHA-1: c48f4d3b63a7adedc0cb107518508284de1927a7 SHA-256: f2160cd41df38cd3926197e91ff934cffd58b40492c569c03982e874db32bdfc
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains heuristics indicating it is a malicious redirector and uses advance-fee scam lures, specifically mentioning parcel delivery. The embedded URL, https://ttraff.com/wb?keyword=rtw%201064%20plus%20manual, is flagged as malicious and likely leads to further stages of the attack. No scripts were extracted from this sample, but the combination of the malicious URL and the scam lure strongly suggests a phishing or malware distribution attempt.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=rtw%201064%20plus%20manual
    • http://files.examea.com/uploads/1/3/1/4/131454503/nidajapuw.pdf
    • http://files.defineandfree.com/uploads/1/3/0/7/130740256/lalopipufaj-zikov.pdf
    • http://files.theladiescommunity.com/uploads/1/3/1/3/131398449/tejam.pdf
    • http://files.zsuzsaszuts.com/uploads/1/3/1/6/131606819/lukixu-mekatadegegejir.pdf
    • http://files.prettylittlerose.uk/uploads/1/3/1/3/131398386/waputil.pdf
    • http://files.thenauticalartsworkshop.com/uploads/1/3/1/6/131606035/bikebawifutir.pdf
    • http://files.parentsoftransgenderkids.org/uploads/1/3/1/3/131382907/d444faa4.pdf
    • http://files.annagalatirealtor.com/uploads/1/3/0/7/130776718/979473.pdf
    • http://files.drawingonmusic.com/uploads/1/3/1/0/131070044/mupesibudunug-womexezaluzo.pdf
    • http://files.kemministries.com/uploads/1/3/2/8/132816066/2299268.pdf
    • http://files.boyrazak.com/uploads/1/3/0/7/130739836/deletijarum_zujujob_dikiragidizuz.pdf
    • https://getaxigafinu.files.wordpress.com/2020/07/jevatunowekajivunitowaker.pdf
    • https://dexubifomuti.files.wordpress.com/2020/06/foxamekonini.pdf
    • https://molavoj.files.wordpress.com/2020/06/pebebanivelixademolawas.pdf
    • https://ragupawagev.files.wordpress.com/2020/07/bosuvovasazuja.pdf
    • https://toxuluva830071386.files.wordpress.com/2020/06/45636537373.pdf
    • https://senuxubu.files.wordpress.com/2020/07/libidam.pdf
    • https://fakuvinim168679484.files.wordpress.com/2020/07/jemederi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/jexisobipa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/kurejala.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kulabegidubonigupux.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/30036161276.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00043778.bin
d4e771674407190fa12aefaf628b27f28e46500f9f03623c6043dd62e1160926		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43778 5012 bytes
font_01_sfnt_off0004487d.bin
f0795fd3d312c663bdce68dedc82a16e0eec5326e532e06ad87c462978599461		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4487D 12900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.