Malicious PDF — malware analysis report

Static analysis result for SHA-256 3af1d6415e43f1c1…

MALICIOUS

PDF

48.2 KB Created: 2020-08-16 18:25:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e9fe818ee3ab0e27618d5451f766f641 SHA-1: c71b57691eec6eca491deaa61cae49c907ab2c08 SHA-256: 3af1d6415e43f1c1832f30ed11457e5676790289d750deef985423dbb2f99676
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains embedded links, with one prominently leading to a known malicious redirector. The document body, though partially garbled, contains text related to a 'Dodge challenger rt manual 2010' and the malicious URL, suggesting a lure to trick users into clicking. The presence of a link farm heuristic further indicates an attempt to distribute malicious content or engage in SEO manipulation for malicious purposes. No scripts were extracted, but the PDF structure and embedded links are sufficient to infer a malicious redirection attack.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=dodge+challenger+rt+manual+2010
    • http://files.fpepumps.com/uploads/1/3/0/8/130874102/612850.pdf
    • http://nizejo.acupunctureforwellbeing.com/uploads/1/3/2/8/132814930/veposo-wojug.pdf
    • https://cdn.shopify.com/s/files/1/0432/9265/5780/files/bamiweduj.pdf
    • https://cdn.shopify.com/s/files/1/0432/5349/8019/files/82768517207.pdf
    • https://cdn.shopify.com/s/files/1/0436/0034/7299/files/basketball_rules_quiz.pdf
    • https://cdn.shopify.com/s/files/1/0431/5978/1538/files/kejiziwowaf.pdf
    • https://cdn.shopify.com/s/files/1/0439/1842/6267/files/atomic_habits_by_james_clear.pdf
    • https://cdn.shopify.com/s/files/1/0430/2936/4889/files/mathematics_syllabus_for_jhs.pdf
    • https://cdn.shopify.com/s/files/1/0441/1329/7560/files/tixojuwazuma.pdf
    • https://cdn.shopify.com/s/files/1/0429/8702/8641/files/rimusububimupasofipex.pdf
    • https://cdn.shopify.com/s/files/1/0428/3275/6902/files/tepinogagibo.pdf
    • https://cdn.shopify.com/s/files/1/0436/0775/2866/files/ruwuzulodelavid.pdf
    • https://cdn.shopify.com/s/files/1/0434/9450/6661/files/fovipanibemiroxano.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c29.bin
ac4851af862e1a07d528fd9dbe55fb32a3a0fa5ae0b268ad824df8430d5d8122		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C29 5500 bytes
font_01_sfnt_off00008eb7.bin
db9ca71ab2b8d6b500f58eb1135b6242a3f1bb5058e3a82aa09603a4ea333b38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EB7 10864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.