Malicious PDF — malware analysis report

Static analysis result for SHA-256 ded83e3c5ad79921…

MALICIOUS

PDF

40.8 KB Created: 2020-08-29 23:25:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6949158a6815f2b408f88e513969d114 SHA-1: 2ccee93cbafdff72ed62219d165434609eba1b68 SHA-256: ded83e3c5ad79921d2cf20cfa767cfdd995bad04d94ddcfc38675730a064dbc1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL identified is https://ttraff.com/wix?keyword=new+idea+manure+spreader+parts+store. The document body, though heavily obfuscated, also contains this URL and other links pointing to Shopify domains, suggesting a link farm or SEO spam campaign. No scripts were extracted, limiting the analysis to the link structure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=new+idea+manure+spreader+parts+store
    • https://cdn.shopify.com/s/files/1/0434/1910/7495/files/fusionner_plusieurs_en_1_seul.pdf
    • https://cdn.shopify.com/s/files/1/0433/8630/6710/files/2019_fillable_calendar_template_word.pdf
    • https://cdn.shopify.com/s/files/1/0432/0319/9136/files/sefalodigu.pdf
    • https://cdn.shopify.com/s/files/1/0429/5612/8412/files/9214076128.pdf
    • https://static.usrfiles.com/ugd/f1d680_3f0a5b44967a4d9fa33d87320724ad7a.pdf
    • https://static.usrfiles.com/ugd/b8c837_179fd8786ac64f2db5de0ab89a31cd27.pdf
    • https://cdn.shopify.com/s/files/1/0464/6934/9534/files/58635748784.pdf
    • https://cdn.shopify.com/s/files/1/0437/9430/1085/files/after_we_collided_download_wordpress.pdf
    • https://cdn.shopify.com/s/files/1/0434/5040/0920/files/59565822650.pdf
    • https://cdn.shopify.com/s/files/1/0431/5627/5362/files/don_juan_canto_1_themes.pdf
    • https://cdn.shopify.com/s/files/1/0433/4652/6376/files/10_characteristics_of_management_information_system.pdf
    • https://static.usrfiles.com/ugd/b8c837_a76cb41a89294e1ebad1e8a4502a6ebb.pdf
    • https://static.usrfiles.com/ugd/c1615c_b31490f174ab4294b2788963a19fb6da.pdf
    • https://static.usrfiles.com/ugd/b8c837_bf825f9f2e1d40ed99f0d4576e6297f8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062dc.bin
caae07c5d1b120685cf0ea37d2cb74d88cd5a8644b1fbeda82913bbf648f86af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62DC 5132 bytes
font_01_sfnt_off00007447.bin
878714fbe8a341062d79f5e9e44b70b73fdfc88a26f767bdd3dc3c3600fcd141		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7447 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.