Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc33836253a38b08…

MALICIOUS

PDF

41.9 KB Created: 2020-09-05 05:30:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 952b5e86724764b23993b2248db0836a SHA-1: d9dba73fe939521c2540aafa2cc61eb5ef0e4c49 SHA-256: bc33836253a38b08e0070db78850fc745d05711af6a27cf024b9f68f53a5c063
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a malicious redirector link that is disguised as a download button. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates that the link leads to known malicious infrastructure. The PDF_SEO_LINK_FARM heuristic suggests the PDF is part of a larger link farm, likely to improve search engine ranking for malicious content. The document body contains a call-to-action phrase, reinforcing the lure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=internship+report+format+sample+doc
    • https://static.usrfiles.com/ugd/837d34_fe3326f5b6894c529a1b0711144f6ef3.pdf
    • https://static.usrfiles.com/ugd/1b7c00_8419a1d1fa2645aa9261a666f698b88c.pdf
    • https://static.usrfiles.com/ugd/1df9ea_f6c3ce5c1eda4c3595cad5c32ed392e4.pdf
    • https://cdn.shopify.com/s/files/1/0437/8768/1952/files/50946461696.pdf
    • https://cdn.shopify.com/s/files/1/0431/9733/3664/files/lock_pick_rake_template.pdf
    • https://static.usrfiles.com/ugd/a31856_900a05b7cbe14c0abacdfeb8492793d9.pdf
    • https://static.usrfiles.com/ugd/866690_e6b654246713476a9f3e601a28fc7b59.pdf
    • https://static.usrfiles.com/ugd/b8c837_a15df89d11d04cac9da1fcf2f28cd735.pdf
    • https://static.usrfiles.com/ugd/7dfe85_1d584649e55e490a8c43e8b053ec94ca.pdf
    • https://static.usrfiles.com/ugd/314c35_69be945b56494fa8a535682eea889e3c.pdf
    • https://static.usrfiles.com/ugd/51c472_825671bd24b04b5e87d2edb17525f606.pdf
    • https://static.usrfiles.com/ugd/1849a1_46994836a6aa4c8e8b41b78629a2a24d.pdf
    • https://static.usrfiles.com/ugd/ef7b09_25c83391d95247969e226028d277d139.pdf
    • https://static.usrfiles.com/ugd/cf14a4_3283eef071514daf9ab1dfc6dd46eadd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066e6.bin
f118a6983010165a7c32cb8925564e74ad0bce3195303084bb24daa41ecf8cb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66E6 5332 bytes
font_01_sfnt_off000078da.bin
b77cd2f694d46e19366141c539ec9fdceb5ee59042cf55567cfd30289d3ca518		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78DA 10028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.