Malicious PDF — malware analysis report

Static analysis result for SHA-256 5076c55db516ecce…

MALICIOUS

PDF

71.5 KB Created: 2020-09-06 00:25:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a7fb065210bf4f11821da5bef2c1a84 SHA-1: 22c39d0693ff195e748bcd8045f975ed599e03e1 SHA-256: 5076c55db516ecce1e806dc6c84e12abdb180f30185d40e01fc9cba8eaecac37
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, which is a strong indicator of malicious intent. The document body and heuristic firings suggest an advance-fee scam or callback phishing lure, aiming to trick the user into clicking the link. The presence of a link farm further supports the malicious nature of the document, likely for SEO poisoning or distributing malicious content.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=arabic+calligraphy+maker+free
    • https://static.usrfiles.com/ugd/2c608b_50f975ce30c94e70a8877dd72fb484c4.pdf
    • https://static.usrfiles.com/ugd/a43ec6_7c183e7523bb4c3a8cccf884a0ad555c.pdf
    • https://static.usrfiles.com/ugd/270e53_bc9fa4f71fba4b88a4bcd3cfcc51dac3.pdf
    • https://static.usrfiles.com/ugd/b8c837_ae03b30485084813961b24a2ed935480.pdf
    • https://static.usrfiles.com/ugd/3eed2b_b432b94c2e204f889eb811d94c8c050a.pdf
    • https://cdn.shopify.com/s/files/1/0433/6759/6191/files/classical_hymns_piano_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0431/3009/3728/files/rolemedulubesokaruzuneru.pdf
    • https://cdn.shopify.com/s/files/1/0430/7176/6677/files/android_apps_that_make_you_money.pdf
    • https://cdn.shopify.com/s/files/1/0429/7955/7529/files/pamaxujopafejapewop.pdf
    • https://cdn.shopify.com/s/files/1/0433/4741/1096/files/41422776302.pdf
    • https://static.usrfiles.com/ugd/80bfa9_3b5fbf184cf942499c87b2e566defadd.pdf
    • https://static.usrfiles.com/ugd/55cc32_87fb4f0f28a94d109ff8c0ec02dc08ee.pdf
    • https://static.usrfiles.com/ugd/b41a9a_2e093b7f9e9e4fe7b663de4f49a5e990.pdf
    • https://static.usrfiles.com/ugd/4725f1_4ef7fa8c632244239572e922d4bdf63f.pdf
    • https://static.usrfiles.com/ugd/144d27_3189507aeb5848e6a03744449052fe1f.pdf
    • https://cdn.shopify.com/s/files/1/0431/0463/2998/files/16847681248.pdf
    • https://cdn.shopify.com/s/files/1/0439/1138/1147/files/google_classroom_app_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0437/4659/0872/files/56363264370.pdf
    • https://cdn.shopify.com/s/files/1/0429/3119/1975/files/16962664785.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a3a7.bin
f6b0a5a302161f91a30bc1e94c22cc3005600f3beafb260c10908c845d6cdbd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3A7 6544 bytes
font_01_sfnt_off0000b3c8.bin
4aba2bb845853324476be69e5ed1bf4ff35002942389efac2b843cac1129f0e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB3C8 2828 bytes
font_02_sfnt_off0000bdc3.bin
37baea5a291d7f273b8363426528ba5d0d847547a3e5f13105ff613797463fc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBDC3 5548 bytes
font_03_sfnt_off0000d080.bin
97b3ae5eea05aa6c1df3912aa697cb3a844e6328ccaf65aede312a9938480bc7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD080 10476 bytes
font_04_sfnt_off0000f496.bin
35a9c5c8c5b18142bcfde61eb40fa388e5cb6cd4d828e1dc1558c18412ef12e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF496 17744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.