Malicious PDF — malware analysis report

Static analysis result for SHA-256 f98c46b671736dfb…

MALICIOUS

PDF

29.0 KB Created: 2020-09-01 17:19:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 408afdf0c80e65d1074343fa2b69389e SHA-1: 5b8f963bca58b2f3bb884a96890105ed6b94fe32 SHA-256: f98c46b671736dfb9b1cbbf84bc8219c124a719b58fe8782e2336f58d9ec0f48
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, forming a link farm. One of these links, 'https://ttraff.com/wix?keyword=nufarm+sds+sheets', is identified as a malicious redirector. The presence of this redirector suggests the document is designed to lure users to malicious sites, likely for phishing or to download further malware. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=nufarm+sds+sheets
    • https://cdn.shopify.com/s/files/1/0432/8616/7702/files/5217636372.pdf
    • https://cdn.shopify.com/s/files/1/0431/4628/1120/files/88122047867.pdf
    • https://cdn.shopify.com/s/files/1/0427/5604/7004/files/gujikela.pdf
    • https://static.usrfiles.com/ugd/c1615c_685378fc0f364bcd9d6b590429b1defc.pdf
    • https://static.usrfiles.com/ugd/db1da1_fe9358f78122441e8a8bdaa26e3afb68.pdf
    • https://static.usrfiles.com/ugd/f6a907_800605c8d55e4a7c8981e2c35d9b74f6.pdf
    • https://cdn.shopify.com/s/files/1/0435/4516/5975/files/modizizer.pdf
    • https://cdn.shopify.com/s/files/1/0435/4483/8303/files/presupuesto_de_compras_ejemplo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003bf0.bin
b46c2edd1bfd18d56f7fdf6232870400bdb6490c5337913213e2983a145d2ba0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BF0 5084 bytes
font_01_sfnt_off00004d11.bin
9c3b1fc474e836d7654e62cc6b919b08853a4e2ea3e99d4bd7d91c8e2c0409c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D11 7924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.