Malicious PDF — malware analysis report

Static analysis result for SHA-256 3eff71991b5754e2…

MALICIOUS

PDF

41.4 KB Created: 2020-09-04 05:39:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b915c4dc69975278bf8d1b1a90acf621 SHA-1: fac37828fd4cdae5fe3b09a19d50a3c10870650d SHA-256: 3eff71991b5754e29f8614e2241aa1fc7b837aa4e23aabee49fe7ceda897c33b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.me/wix?keyword=cadena+de+suministro+walmart+pdf'. This indicates a phishing attempt disguised as a Walmart supply chain document. The document also contains a link farm heuristic, suggesting it's part of a larger SEO poisoning campaign to distribute malicious content. No scripts were extracted, but the primary attack vector is the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=cadena+de+suministro+walmart+pdf
    • https://static.usrfiles.com/ugd/77eba6_3c0a12cc78f143e58e6e9a9572381279.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b60b0c50f844d458b006f84c3d5d206.pdf
    • https://static.usrfiles.com/ugd/902d29_313c50dad27b48eaacb9e040cbb66088.pdf
    • https://static.usrfiles.com/ugd/f0b6b3_4d6baf47f8bc4eb1b9aae83a807d4354.pdf
    • https://static.usrfiles.com/ugd/b8c837_e2a383a491994bdb800dbf6807dcff9c.pdf
    • https://static.usrfiles.com/ugd/01e791_d8eccf54b2834dfa88ede3f4d1bd1b5e.pdf
    • https://static.usrfiles.com/ugd/b8c837_1b5bb4c34d544e77a873316ca3b9b10f.pdf
    • https://static.usrfiles.com/ugd/4c76bf_0de2044388c34752b90d555eaf624bcf.pdf
    • https://static.usrfiles.com/ugd/6cfc61_a4b52aef1ce64fd5b3044665cbe09e9b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006564.bin
9bab6189871b1636e3076986289443671efb07bbf1facbff57cc2ad420f2f394		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6564 5184 bytes
font_01_sfnt_off000076fa.bin
edfcdea178878ac783abe12b31527d5a629082f307758f0bc7bfffbabd7abfb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76FA 10092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.