Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2ae0ddd82b5f41b…

MALICIOUS

PDF

43.3 KB Created: 2020-08-30 18:25:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 937282223421092ff3e03bfb13b2d4b4 SHA-1: e0aa64d24a63c372eece779083bcb50835476988 SHA-256: f2ae0ddd82b5f41bdc19c9e4666617ea00d3b7b30334b13c419064d93c0538e7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for an advance-fee scam lure, indicating it attempts to trick users with promises of prizes or funds. It also contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.cc/wix?keyword=what+deal+does+khrushchev+propose+to+kennedy`. The document body, though heavily obfuscated, contains this URL and numerous other links, suggesting a link farm designed to redirect users to malicious sites. The presence of a malicious redirector and the advance-fee scam lure strongly indicate a phishing or social engineering attack.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=what+deal+does+khrushchev+propose+to+kennedy
    • https://static.usrfiles.com/ugd/97634b_437483d6ada84250947e4564235b2333.pdf
    • https://static.usrfiles.com/ugd/f0e51d_a3d62413912049f79ff8757580e9dda7.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f3eccaf156e4af7859294b9918a49ba.pdf
    • https://static.usrfiles.com/ugd/efb3f0_eeaf05c61efe4c55b8b3927fd4385cc5.pdf
    • https://cdn.shopify.com/s/files/1/0439/6810/2558/files/ending_sounds_worksheets_for_first_grade.pdf
    • https://cdn.shopify.com/s/files/1/0464/6676/0856/files/24938984370.pdf
    • https://cdn.shopify.com/s/files/1/0430/6409/8970/files/fazixedalurapodojerig.pdf
    • https://cdn.shopify.com/s/files/1/0437/8034/1917/files/40294255248.pdf
    • https://static.usrfiles.com/ugd/2f7815_72e2972da0634fbf8d1a118dada231ba.pdf
    • https://static.usrfiles.com/ugd/b8c837_7bc36a9f5104486ca7fc52d0f3f10884.pdf
    • https://cdn.shopify.com/s/files/1/0432/6172/2788/files/36421416150.pdf
    • https://cdn.shopify.com/s/files/1/0433/6222/2232/files/xobirifalapoxaxalikid.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b24.bin
3e8c17630317c27b3d7020afd3f8f10de77c83559817189783f57440c40e61c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B24 5400 bytes
font_01_sfnt_off00007d91.bin
a37577205c8e804f8d0dca5dffe6de7acafb161dcaa17742614017cf0aaf14d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D91 10304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.