Malicious PDF — malware analysis report

Static analysis result for SHA-256 e07d785972d5d71c…

MALICIOUS

PDF

42.0 KB Created: 2020-07-31 15:30:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 625a4e0979bbfd8c35d8f3861ce680c4 SHA-1: 0e434e5dec62e2878f45383bc61f99964d74a633 SHA-256: e07d785972d5d71cd756be9760307fa21f146ee0a2bb199c972618cc3457d52f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains embedded links that point to a known malicious redirector, ttraff.com. The document body, though heavily obfuscated, appears to be related to search engine optimization and lures users with keywords like 'John deere d105 manual pdf'. The presence of numerous external PDF links further suggests a link farm or SEO poisoning tactic to drive traffic to malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=john+deere+d105+manual+pdf
    • http://files.russelsher.com/uploads/1/3/1/6/131637038/1200934.pdf
    • http://files.litchfieldgardenclub.org/uploads/1/3/2/3/132302870/fuzitirafenol.pdf
    • http://files.crackpotpodcast.com/uploads/1/3/1/4/131453919/9664539.pdf
    • http://files.cardenhomebuilders.com/uploads/1/3/2/6/132695575/rupexupo.pdf
    • https://cdn.shopify.com/s/files/1/0430/7818/9205/files/11168792894.pdf
    • https://cdn.shopify.com/s/files/1/0434/4433/8838/files/25434251965.pdf
    • https://cdn.shopify.com/s/files/1/0434/0393/5902/files/12703745960.pdf
    • https://cdn.shopify.com/s/files/1/0438/1641/9488/files/maditoluvajorofokosugi.pdf
    • https://cdn.shopify.com/s/files/1/0430/5167/9893/files/fadul.pdf
    • https://cdn.shopify.com/s/files/1/0435/8563/4463/files/besavawekakelipozaxamesub.pdf
    • https://cdn.shopify.com/s/files/1/0436/9419/4843/files/viwoxebubaru.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kemisavixazesunomezixe.pdf
    • https://cdn.shopify.com/s/files/1/0431/4651/0497/files/96352618679.pdf
    • https://cdn.shopify.com/s/files/1/0434/6213/1869/files/98445933917.pdf
    • https://cdn.shopify.com/s/files/1/0430/4306/1913/files/genixu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b8a.bin
559ef5000c69eb5d4a5f8e2634a3ebb2e3079901332945d7abcaaaea1d2b0731		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B8A 5164 bytes
font_01_sfnt_off00006ce1.bin
8f904e7de7340131c405d23e5c63c7cc4afb42f9f5c6890ad2e48527e3a59cae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CE1 14176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.