Malicious PDF — malware analysis report

Static analysis result for SHA-256 143d86de8c93f94c…

MALICIOUS

PDF

38.2 KB Created: 2020-09-01 14:02:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73c0797e68d45ba72222ee016dc304e9 SHA-1: 29e41240e4a82159f8653721a9046eab94035240 SHA-256: 143d86de8c93f94c51094960b3bdb6259b94209765ce83fc0e34515d0e14d11f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to a redirector service. The primary malicious URL identified is a redirector designed to send users to further malicious content. The document body itself is heavily obfuscated and contains a reference to the malicious URL, suggesting an attempt to disguise its true purpose.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9924

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=mata+rani+ke+bhajan++kare
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://static.usrfiles.com/ugd/ab922d_2eaae2012c094d60ad1b3adbeb8f6dbe.pdf
    • https://static.usrfiles.com/ugd/81ef4b_f2d0be33e2ab4dd29932ef20bf6ed14c.pdf
    • https://static.usrfiles.com/ugd/b8c837_b71178487f704287a6a27ae5abc15c90.pdf
    • https://static.usrfiles.com/ugd/b88e3d_67d194a60b59408b8fe638c1870c58ab.pdf
    • https://static.usrfiles.com/ugd/3826db_1fdca7ed7aff404ba21f03f0354edb59.pdf
    • https://static.usrfiles.com/ugd/0cd3a8_0555b628e30f4994b56dec0d4c077230.pdf
    • https://static.usrfiles.com/ugd/c20ea7_65a7b8d5e98a4bf9998993a027d781fa.pdf
    • https://static.usrfiles.com/ugd/67e251_eb7b35d3f6fc49e989f977d8e155ec21.pdf
    • https://static.usrfiles.com/ugd/89064d_122159c2c1f041cf8decf5c82cc785e6.pdf
    • https://static.usrfiles.com/ugd/9e41f0_8c55e22bf21c43c3bc7bdcdc7899ff05.pdf
    • https://cdn.shopify.com/s/files/1/0433/4652/6361/files/app_bwin_poker_per_android.pdf
    • https://cdn.shopify.com/s/files/1/0438/5210/3842/files/8782655280.pdf
    • https://cdn.shopify.com/s/files/1/0427/8140/9436/files/como_cambiar_un_a_word_en_mac.pdf
    • https://cdn.shopify.com/s/files/1/0432/7643/5612/files/pojajivolomajovarin.pdf
    • https://cdn.shopify.com/s/files/1/0430/8896/9882/files/63623985227.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004db2.bin
00bfbaa45c35f2fbeac5c037fc8e014208ee374e1ceb86c4efe241d632f30fd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DB2 4524 bytes
font_01_sfnt_off00005cff.bin
aaee66698cf7ec9d3a1347463f17a6e31a4af1600cc022f1b8b4506f57e19f5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CFF 13396 bytes
font_02_sfnt_off000086fa.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86FA 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.