Malicious PDF — malware analysis report

Static analysis result for SHA-256 c94161b4e1772be3…

MALICIOUS

PDF

38.5 KB Created: 2020-08-31 08:07:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 518a2d797abf640b0739375201ff7a15 SHA-1: a34885a1ccbe17321f44f411ee938858eb239b47 SHA-256: c94161b4e1772be397c13fd87ce981464a2127e42fad76142f4f20d27cca6bd1
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF file contains a prominent link disguised as a download button, which redirects to a known malicious URL. This suggests a social engineering attack aimed at tricking the user into visiting a harmful site. The PDF also contains a link farm, indicating an attempt to manipulate search engine results or distribute content widely. No scripts were extracted, and the document body is heavily obfuscated.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=the+nightmare+before+christmas+google+drive
    • https://static.usrfiles.com/ugd/2f07a1_e2ad95a2a8264d28a571bfbfdce64ab3.pdf
    • https://static.usrfiles.com/ugd/23e9be_4e37490ff1ee4f93b7f7d39c63eb3cc5.pdf
    • https://static.usrfiles.com/ugd/95089d_ca375236dfa64a479dfd4c1488472075.pdf
    • https://static.usrfiles.com/ugd/e42ee3_56664ed76cee4eabbf6ed6635614da55.pdf
    • https://static.usrfiles.com/ugd/b8c837_9f8ed2b1abe54ebb89ad6e7405b5138e.pdf
    • https://static.usrfiles.com/ugd/9b7d8a_ae2c7848bde640ddbd9e613b923f00b6.pdf
    • https://static.usrfiles.com/ugd/b8c837_0394808d7bf8439389b815fea504f58a.pdf
    • https://static.usrfiles.com/ugd/5fd5c1_e8265665ba0f4b24904019a53d6e8e68.pdf
    • https://static.usrfiles.com/ugd/3f0e57_986c7af5e1bb49abab70d95ae4d01d79.pdf
    • https://static.usrfiles.com/ugd/b8c837_dd9d5ca1546f425fb01233295b19e73b.pdf
    • https://static.usrfiles.com/ugd/217d68_e3ad2c1398254fe281d059c0b8aec0e3.pdf
    • https://cdn.shopify.com/s/files/1/0433/6664/5916/files/suddenlink_tivo_guide_not_working.pdf
    • https://cdn.shopify.com/s/files/1/0438/5167/7856/files/wunajixaborazulosuved.pdf
    • https://cdn.shopify.com/s/files/1/0431/4251/2802/files/advantages_of_nuclear_family.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000056c5.bin
0ffa016b49258307b20ab9d05913ebba6b91c8a4eed2058254fd6c2ae84f8db6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56C5 5584 bytes
font_01_sfnt_off00006993.bin
bbe3632d741e586746aeeb6a2315f2ec74ad6cac4d8520a51b6b34ece4a885d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6993 10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.