Malicious PDF — malware analysis report

Static analysis result for SHA-256 94ae76c8ddf9c40a…

MALICIOUS

PDF

114.6 KB Created: 2020-09-10 08:50:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8790a2a343af725a4091368c02850664 SHA-1: d3b20d12d5bed80ba8de8b477e8b13004194bc81 SHA-256: 94ae76c8ddf9c40a5eb773ffd6e70d871c0833d19f7576b011aec2372344e3d5
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link farm and a malicious redirector URL, suggesting a phishing or scam attempt. The document body, though heavily obfuscated, contains the text 'Cabbage farming tips pdf' and the malicious URL 'https://ttraff.link/wix?keyword=cabbage+farming+tips+pdf', indicating a lure to a malicious site. The presence of a callback phishing lure heuristic further supports a social engineering attack. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=cabbage+farming+tips+pdf
    • https://static.usrfiles.com/ugd/bf650e_b4de0168b3e54f7aac3f711c6cb42844.pdf
    • https://static.usrfiles.com/ugd/2f3216_33939c889fdc4e568e9cec2bf5610dd1.pdf
    • https://static.usrfiles.com/ugd/c162b3_18441ab4d79b494e8cb133acaa6f32b4.pdf
    • https://static.usrfiles.com/ugd/c068f8_b5a9cbd2896749deb299591e99b2a1b4.pdf
    • https://static.usrfiles.com/ugd/0511f5_fa478bb3033f47eca8f0f8a29471a22e.pdf
    • https://cdn.shopify.com/s/files/1/0431/0047/1456/files/84875419459.pdf
    • https://cdn.shopify.com/s/files/1/0428/9386/9223/files/79667282627.pdf
    • https://cdn.shopify.com/s/files/1/0432/8341/5204/files/cards_against_humanity_black_cards.pdf
    • https://cdn.shopify.com/s/files/1/0432/0657/4238/files/gunajan.pdf
    • https://cdn.shopify.com/s/files/1/0430/3123/2674/files/tujisubexewaz.pdf
    • https://static.usrfiles.com/ugd/e23fbb_6c3d926310e841de82d412dfebb067f3.pdf
    • https://static.usrfiles.com/ugd/ace02d_538253bcee2c4db58a264c252a76e628.pdf
    • https://static.usrfiles.com/ugd/6cf804_303a2293207b4dd19aa73eaa3f97dead.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000185c8.bin
2a8235ea84525a391c884236fb3e49a57be7d885c47ff1e2b323d9c6489d2672		 pdf-font-stream PDF embedded font (sfnt) at offset 0x185C8 5376 bytes
font_01_sfnt_off000197f7.bin
256b1e606e61750f9e67d5bd69470fba31e2ab7303fa7f6980c6b9ad52022000		 pdf-font-stream PDF embedded font (sfnt) at offset 0x197F7 10980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.