Malicious PDF — malware analysis report

Static analysis result for SHA-256 98101cd31d4253dd…

MALICIOUS

PDF

40.2 KB Created: 2020-09-08 00:07:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 86703d1ea5b039423f4799857e81646f SHA-1: 5892032e6e07aebd60b067a9b33f60dd056b8d8c SHA-256: 98101cd31d4253dd4f241b4a0b5a578138a8e6b8b38d21548a4c05b394109b6a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one critical heuristic identifying a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that appears to be part of a lure. The primary attack vector is likely a phishing attempt using a seemingly legitimate document to redirect users to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=massachusetts+automobile+bill+of+sale+template
    • https://static.usrfiles.com/ugd/b0c717_810ca5998ab54be295d728bdc5133750.pdf
    • https://static.usrfiles.com/ugd/299074_a15cd8249f254df483ba97dbad22d5d3.pdf
    • https://static.usrfiles.com/ugd/87d215_f49d8e7991f845759fb052312b67b7e5.pdf
    • https://static.usrfiles.com/ugd/b65acf_7a1a10bbd232418f927f540f47c50838.pdf
    • https://static.usrfiles.com/ugd/469aea_c4819c1c87b54ed7885a668ef1ca9dd8.pdf
    • https://static.usrfiles.com/ugd/f8de3e_5eb1f41920e24c6fa990bf1537aa4055.pdf
    • https://static.usrfiles.com/ugd/d1d005_c91fe9f3a0e1484c9a3f9faf05bd271d.pdf
    • https://static.usrfiles.com/ugd/0d2fda_c159737569c840158b5846a461f64c1d.pdf
    • https://static.usrfiles.com/ugd/4733ca_3138ad6b6bcd4449a2e7909eb100655a.pdf
    • https://static.usrfiles.com/ugd/ee4a13_e27c87ab09c64e0fa98e5fca7991902a.pdf
    • https://static.usrfiles.com/ugd/b8c837_7554a1c1d336409b989e723bb9805fba.pdf
    • https://static.usrfiles.com/ugd/9fc8c3_9e1e8ab82c9242b18a092a96fc92e81a.pdf
    • https://static.usrfiles.com/ugd/d4da64_8028135b9da846e38fa4f06b723afa76.pdf
    • https://static.usrfiles.com/ugd/1849a1_f2ec6d61065544bb8264e02eaa87cf0a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ff7.bin
87c8b281295d88ee1c43639b65c1cb53ed73bd0a15700f12a21c912df08ad11b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FF7 5304 bytes
font_01_sfnt_off000071ea.bin
e5c00950f64644ed7f6849f0ecbf26771645d0ed0f9d3b5b8412df1ab30574f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71EA 9880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.