Malicious PDF — malware analysis report

Static analysis result for SHA-256 98bad170ee964b48…

MALICIOUS

PDF

67.3 KB Created: 2020-07-08 11:38:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8d039097838a730eb032ece8f741d763 SHA-1: ef104ff4fff7bd62a441087ee31c5c2e6628c025 SHA-256: 98bad170ee964b48ef3459f756e4d7c7cf79ba7652092f0f2f5e6f6fffcad491
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, many of which point to a redirector service (ttraff.com) and then to other PDF files hosted on various domains. This indicates a link farm or SEO poisoning technique designed to lure users into downloading potentially malicious content. The primary lure appears to be a 'John Deere 210 operator's manual pdf'. No scripts were extracted, and the document body is heavily obfuscated, but the heuristic firings strongly suggest a malicious redirector and a link farm.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=john%20deere%20210%20operator
    • http://files.icthope.org/uploads/1/3/1/4/131437753/6587094.pdf
    • http://files.desertheartsphoenix.com/uploads/1/3/1/1/131163563/vodewavaguje.pdf
    • http://files.goldenspiraldesigns.com/uploads/1/3/0/7/130740232/5083549.pdf
    • http://files.vcgallery.org/uploads/1/3/1/8/131856381/rokererukirejakifu.pdf
    • http://files.siouxfallsbirth.com/uploads/1/3/0/7/130775511/3588451.pdf
    • http://files.navp.co.uk/uploads/1/3/0/9/130968956/kojiva_sapegitoxani.pdf
    • http://files.mindrawise.com/uploads/1/3/1/3/131379290/fojinime.pdf
    • http://files.rushizle.com/uploads/1/3/0/7/130776338/3326136.pdf
    • http://files.mgtconcepts.com/uploads/1/3/1/4/131453725/pipadejirivuvo_gazugubagaxux_fugaradonebo.pdf
    • http://files.spartanstoneworks.com/uploads/1/3/1/8/131856518/8050331.pdf
    • https://basogobap.files.wordpress.com/2020/07/bubasafofuj.pdf
    • https://perorukone.files.wordpress.com/2020/07/27510469873.pdf
    • https://jipijitu.files.wordpress.com/2020/07/41078390619.pdf
    • https://molejupo.files.wordpress.com/2020/06/55788700217.pdf
    • https://ribixobu.files.wordpress.com/2020/06/dowosuk.pdf
    • https://fakadepe.files.wordpress.com/2020/07/87883574349.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bb23.bin
c6275c02c5cf19992dbfdae1f542944f52506711ea619e472758eed57333d741		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBB23 5464 bytes
font_01_sfnt_off0000cd8a.bin
aed0e825534a915d9030bad84be92a640bba1c84aa38acc08b405f71ce27ad49		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD8A 16500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.