Malicious PDF — malware analysis report

Static analysis result for SHA-256 32c4c2bd6a5793f8…

MALICIOUS

PDF

40.1 KB Created: 2020-09-16 22:53:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8d2d6e4239f60c2925f70c51da529fe SHA-1: 62e99ee8ce3657c3b5aefb5a7f0b12f8a35a795e SHA-256: 32c4c2bd6a5793f89b8ccb792302dadf7730f102baaba930066a7c5f04dcfb41
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm designed to redirect users to malicious infrastructure, specifically targeting searches for 'roms apk nds'. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK directly indicates the presence of a malicious redirector. The ML classifier also strongly flagged this PDF as malicious. The document body contains obfuscated text but clearly embeds the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=roms+apk+nds
    • http://juparula.cavertwire.com/uploads/1/3/2/7/132712116/wawir.pdf
    • https://1f112359-ab5d-41d8-a013-ffffa04f8f8a.filesusr.com/ugd/bc0b97_daf19d3a0525455eb7be474809438a3d.pdf?index=true
    • https://7b957fce-72e3-421a-a014-39a2270b63c6.filesusr.com/ugd/440e29_bbd14387cbfd4ca2a9986b44b6716c45.pdf?index=true
    • https://61b6f06b-2974-494e-ba1c-755b2329f855.filesusr.com/ugd/24deb6_a6f4c09f4d6c4ff4bcf4b3147b155b88.pdf?index=true
    • https://c57d7b91-ac11-418d-a646-f72d28a27fea.filesusr.com/ugd/e643da_c3dd1ad569f148f6b515c9e690291502.pdf?index=true
    • https://8027b46f-92b3-4e4c-906e-8031208d3da9.filesusr.com/ugd/268ab1_9e3989508673492694996d78c5c34fe9.pdf?index=true
    • https://ba0d1e03-ce52-4b4f-8aec-7a656d07f774.filesusr.com/ugd/a6e5e9_8cbff5fe7b3945c89a907db2bba36b03.pdf?index=true
    • https://a11b32dc-fa95-4f6f-b9c2-06aa4d73f37b.filesusr.com/ugd/a13bc2_c34d0f750379415a97c9820924a23c3a.pdf?index=true
    • https://fb1b49e2-f962-4c44-a2f2-86a6086ea508.filesusr.com/ugd/c0fca2_a4ff7c9d392c42ce995b05fd5f0e5913.pdf?index=true
    • https://1d87a6aa-320e-4c8c-bae8-d2d74b67a0c9.filesusr.com/ugd/ad2ade_c94a115e956c47f8b4929e99fd6c9b7d.pdf?index=true
    • https://cd807b47-f4c9-4cd2-8eaa-bbca02502f71.filesusr.com/ugd/8bf3fc_438af720ccde42aba4d2def5164e8e03.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f96.bin
52622dd69aacf5d2c667cb31f5878c74de7e8e401aff377bfa6f581a05bd3a53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F96 5048 bytes
font_01_sfnt_off000070b5.bin
217dc11be88affedd2273ff42089a979466c7a10e08ac226f05d1ca27533dbf3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70B5 10408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.