Malicious PDF — malware analysis report

Static analysis result for SHA-256 20c0d96b97270c41…

MALICIOUS

PDF

40.8 KB Created: 2020-08-23 13:03:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 10eb67fab710432506b81f78e9501faa SHA-1: 4838ab979cbb149159d678bcaabcc4d0513187ae SHA-256: 20c0d96b97270c4112b3200e5103a603a71477c5c5e23cb75b6ba10d3eba9296
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple embedded links, with one identified as a malicious redirector. The document body and heuristics indicate a lure related to a 'university degree application form' and a 'fake invoice/payment' scenario, combined with an MFA lure. This suggests the primary goal is to trick the user into clicking the malicious link, which likely leads to credential harvesting or a second-stage payload download.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bharathiar+university+degree+application+form
    • http://kurodol.geogyourmemory.com/uploads/1/3/1/6/131606233/xuminamoj.pdf
    • http://files.ronellesart.com/uploads/1/3/1/0/131070407/1ed8d1ac52fa8.pdf
    • http://files.easternsloperanch.com/uploads/1/3/2/6/132681404/3588728.pdf
    • https://cdn.shopify.com/s/files/1/0429/4728/1062/files/physiology_mcq_books_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/5104/8357/files/busojufelaf.pdf
    • https://cdn.shopify.com/s/files/1/0445/1778/5759/files/puguverogur.pdf
    • https://cdn.shopify.com/s/files/1/0432/5870/8136/files/freebsd_desktop_guide.pdf
    • https://cdn.shopify.com/s/files/1/0447/4994/7029/files/aspiration_pneumonia_dog.pdf
    • https://cdn.shopify.com/s/files/1/0446/9614/1980/files/applied_linguistics_in_teaching_english.pdf
    • https://cdn.shopify.com/s/files/1/0428/7466/7164/files/ravirer.pdf
    • https://cdn.shopify.com/s/files/1/0433/0645/1094/files/odisha_govt_holidays_2020.pdf
    • https://cdn.shopify.com/s/files/1/0440/8197/1365/files/king_arthur_legend.pdf
    • https://cdn.shopify.com/s/files/1/0430/4578/1665/files/69851866130.pdf
    • https://cdn.shopify.com/s/files/1/0428/9550/7622/files/ruluz.pdf
    • https://cdn.shopify.com/s/files/1/0436/5372/6358/files/kefedu.pdf
    • https://cdn.shopify.com/s/files/1/0437/6847/9893/files/piloruw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fb1.bin
85d75e20037093d5ba7432e77260e12c1477a3270592618b3bb28d0d99830e9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FB1 5780 bytes
font_01_sfnt_off00007347.bin
58803ab5038b17d9e382cd3c260246cb5befe51047852ee6de1dd0501f932ba1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7347 10240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.