Malicious PDF — malware analysis report

Static analysis result for SHA-256 84284b16c0633fdc…

MALICIOUS

PDF

38.1 KB Created: 2020-09-03 12:41:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1163f37e5c6e2a057b0e7e8b52d56541 SHA-1: 511544f4af8533c543f364ee65297968197c8fb4 SHA-256: 84284b16c0633fdc173484c228c699f5f2c2938d7ee2a5a33af2929c336d4669
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF contains a link farm and a direct link to a known malicious redirector, indicating a phishing or scam attempt. The presence of a visual download button further supports this. The document body, though heavily obfuscated, contains the target URL, suggesting the document's primary purpose is to drive clicks to malicious infrastructure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=canon+pixma+mg2522+setup
    • https://static.usrfiles.com/ugd/db1da1_573bb7a6021f46ad8bcdb5f9c35cd193.pdf
    • https://static.usrfiles.com/ugd/b8c837_b128c3a141f74a0eb75a7d75772ce05b.pdf
    • https://static.usrfiles.com/ugd/ef7b09_a6f8e27c585640f091173742470a5048.pdf
    • https://cdn.shopify.com/s/files/1/0428/8430/0959/files/zozow.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/65028435792.pdf
    • https://cdn.shopify.com/s/files/1/0430/8546/3713/files/94167597621.pdf
    • https://cdn.shopify.com/s/files/1/0428/3059/4204/files/vetegebe.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dagezaluvonanapukinuwit.pdf
    • https://cdn.shopify.com/s/files/1/0431/4670/7104/files/belly_up_book.pdf
    • https://static.usrfiles.com/ugd/1849a1_35f62bf5f31c4a469d10d60f13ffa821.pdf
    • https://static.usrfiles.com/ugd/0e6328_a80ab87bc07c457684ddc44487b04876.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000058a4.bin
99c0f4a30d007999f26f53e6afee74978ceecbb37ea1c14a993a48a4af5ef8da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58A4 5240 bytes
font_01_sfnt_off00006a73.bin
99aa8bdd40ce878acb6a63dacf7e4b223cac9a083736dda5e81ca6696de393ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A73 9844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.