Malicious PDF — malware analysis report

Static analysis result for SHA-256 b728472b3c4075b6…

MALICIOUS

PDF

40.4 KB Created: 2020-09-02 07:38:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17fa3a9faa841d7263fcce9fe96e5969 SHA-1: 52ab4b6861f66a7c61466ed4d0c2974342befc49 SHA-256: b728472b3c4075b679d221d29c56ab563e3b2133f432130909bec9b8069cee7c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link that redirects to malicious infrastructure, disguised as an answer key for a judicial exam. The document body also contains multiple links to external PDFs, suggesting a link farm or SEO poisoning tactic. The presence of a callback lure further indicates a phishing or scam attempt.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=haryana+judicial+exam+2018+answer+key
    • https://static.usrfiles.com/ugd/bcd086_7648c70de7b14e9b9caeedfe983dd170.pdf
    • https://static.usrfiles.com/ugd/8c0e65_b2d9c80cf04940ca929ea52d1b82bbca.pdf
    • https://static.usrfiles.com/ugd/b8c837_17821927c5e34fd98c198a30765cdcdf.pdf
    • https://static.usrfiles.com/ugd/7c30af_274097f48d87424999ca7666ae566654.pdf
    • https://static.usrfiles.com/ugd/3aee12_c16dbd13adb741d6a4cd52aa237323d8.pdf
    • https://cdn.shopify.com/s/files/1/0428/5349/9046/files/semipuxelis.pdf
    • https://cdn.shopify.com/s/files/1/0429/4311/9527/files/bulamagovoti.pdf
    • https://cdn.shopify.com/s/files/1/0445/9141/5460/files/approximation_for_ibps_clerk_2020.pdf
    • https://cdn.shopify.com/s/files/1/0437/2715/9448/files/android_objectanimator_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0431/9277/8912/files/67125506813.pdf
    • https://cdn.shopify.com/s/files/1/0430/1615/9385/files/name_wala_cake_pic.pdf
    • https://cdn.shopify.com/s/files/1/0430/4932/0597/files/respiratory_pathology_mcq.pdf
    • https://static.usrfiles.com/ugd/a07927_64a282e590a749059300dc888623cc6d.pdf
    • https://static.usrfiles.com/ugd/2274a7_aee96b7a0d964827988ec7cc096ff8db.pdf
    • https://static.usrfiles.com/ugd/33a2e4_bb6c461fff48408b8144a16e24337a4b.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_c54a0a3d391949bd90db21d03ef86877.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005cd9.bin
463516fe69a645b25b501d78ff0c95e387b4cb8869072ae303cc5def3dc06e86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CD9 5968 bytes
font_01_sfnt_off00007137.bin
cd955fa0b61e78a9c25d0bc571d6f013234e9dea6b38fe9beda8e011a5c37c4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7137 10444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.