Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c38f7c3c9297137…

MALICIOUS

PDF

23.1 KB Created: 2020-08-15 07:59:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e22b5c239ebcc27bd3702d876f3bd1bb SHA-1: 1c71474c39e0c6bc753116a6b9cdb731bf634c43 SHA-256: 4c38f7c3c9297137df2fe015f98ae23b7fbfa2433cc9eb1b8bd54185e63e82c9
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF is an image-only lure, typical of phishing, designed to trick users into clicking a link. The primary link redirects through ttraff.ru, which is flagged as malicious infrastructure. The document also contains a large number of links to external PDFs, many hosted on cdn.shopify.com, likely for SEO manipulation or to obscure the malicious redirector. No scripts were extracted, but the presence of a malicious redirector and the image-based lure strongly indicate a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 23 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=pandoc%20markdown%20to%20pdf%20font%20size
    • http://botosul.tdoulaarts.com/uploads/1/3/2/7/132710712/ae97c5abd4.pdf
    • http://files.elevateyc.org/uploads/1/3/1/0/131070309/7538866.pdf
    • http://files.2dacademy.com/uploads/1/3/1/4/131437246/9770696.pdf
    • http://dokirid.freebirdbooks.com/uploads/1/3/0/8/130814328/2614673.pdf
    • https://cdn.shopify.com/s/files/1/0439/1639/4648/files/toxalurimawuxakenolodi.pdf
    • https://cdn.shopify.com/s/files/1/0430/0141/3785/files/88360859893.pdf
    • https://cdn.shopify.com/s/files/1/0430/4207/8877/files/calculus_early_transcendentals_briggs_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/2738/9851/files/83427267397.pdf
    • https://cdn.shopify.com/s/files/1/0431/5476/8021/files/xotoxerejavelilesolekibe.pdf
    • https://cdn.shopify.com/s/files/1/0435/6535/1071/files/voduxi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dosodasanofesawule.pdf
    • https://cdn.shopify.com/s/files/1/0432/3537/7307/files/98160848545.pdf
    • https://cdn.shopify.com/s/files/1/0433/8899/3703/files/c_add_to_list.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.