Malicious PDF — malware analysis report

Static analysis result for SHA-256 6229846667fd0d84…

MALICIOUS

PDF

37.1 KB Created: 2020-09-06 00:06:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 76c32a748a32eeac7acd986b2c3ce3a2 SHA-1: a604d634fcd5f3d1ced3fb14d235a6279fcd25eb SHA-256: 6229846667fd0d8449e05835a8013fa05ab67482468547841cee5b8c41d058f8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link that redirects to a malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. This link is presented within content that appears to be a song ringtone, likely a lure. The PDF also contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic, suggesting it's part of a link farm operation. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=chamanthi+puvva+song+ringtone
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0430/3667/2162/files/38140124426.pdf
    • https://cdn.shopify.com/s/files/1/0428/4357/0343/files/figuwasamewafuroben.pdf
    • https://cdn.shopify.com/s/files/1/0429/0910/6335/files/wozov.pdf
    • https://cdn.shopify.com/s/files/1/0431/4474/1024/files/bibumobawabigake.pdf
    • https://cdn.shopify.com/s/files/1/0435/0558/2244/files/process_improvement_plan_template_healthcare.pdf
    • https://static.usrfiles.com/ugd/67e251_9f1ebb9c2eb84d61875084eb9ed084cf.pdf
    • https://static.usrfiles.com/ugd/2e16aa_e7fbf582295e4811a1048df0f7bc08bb.pdf
    • https://static.usrfiles.com/ugd/d2b720_1a91b1cf73a841f5993f01cdaa10c60d.pdf
    • https://static.usrfiles.com/ugd/3aee12_be9016b069cd4de097449743320edd93.pdf
    • https://static.usrfiles.com/ugd/c068f8_1c65124030b145f08711d5d7cbeabb6a.pdf
    • https://static.usrfiles.com/ugd/b8c837_10e08f0e5c124c609bac4c9cf503a20d.pdf
    • https://static.usrfiles.com/ugd/d54300_06cba7edc65f41b69800266f30ef1087.pdf
    • https://static.usrfiles.com/ugd/9d869b_ee1a74c58e9948e4bba73e56972d9227.pdf
    • https://static.usrfiles.com/ugd/930050_e75846b678d74a68a62551686ff7be14.pdf
    • https://static.usrfiles.com/ugd/c79b1c_370a066bc9814997b65e54fe1b8d7fd7.pdf
    • https://static.usrfiles.com/ugd/b8c837_727369acb38440cc9e82b2393f2d1ed3.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005424.bin
137ee62734958bb3d094bcfb74b221554d701600ff839ffb5a762a10d8404b5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5424 5164 bytes
font_01_sfnt_off0000658e.bin
2a8b754b9ca529d2833776694af781ffe94d10d66503b9a6592b530b71e0aa02		 pdf-font-stream PDF embedded font (sfnt) at offset 0x658E 13868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.