Malicious PDF — malware analysis report

Static analysis result for SHA-256 837643dafe3b7260…

MALICIOUS

PDF

29.8 KB Created: 2020-09-22 21:25:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45c9f7d8583781b6b3776010ce52492c SHA-1: af3719a013347c860c9551610d211af499156151 SHA-256: 837643dafe3b7260301e5723fb23bf368f346862b3624947d2f3536d13bdb8ba
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for linking to known malicious redirector infrastructure, specifically a URL promising free in-game currency. The document body also contains this URL and numerous other PDF links, suggesting a link farm designed to distribute malicious content. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=free+gems+empires+and+puzzles+2019
    • http://files.mikewakephotos.com/uploads/1/3/1/4/131453560/vebepekulitite_lunuvowenarizi_mosofujasisuv_nigidaxabuvubol.pdf
    • http://files.aopsecondaryarts.org/uploads/1/3/0/7/130739802/jukepirefefovujesilu.pdf
    • http://files.afulmer.com/uploads/1/3/2/6/132681812/peful.pdf
    • http://files.sfaircountry.com/uploads/1/3/2/6/132680808/duwip.pdf
    • http://files.middleearthferretry.net/uploads/1/3/1/8/131871642/d5723591380.pdf
    • http://files.columbusmusicschools.com/uploads/1/3/2/7/132740623/9254252.pdf
    • https://3d35c9d3-0a55-457d-b091-5c574f5a73ba.filesusr.com/ugd/625844_7fe443a36298471cb0453380e421e7a9.pdf?index=true
    • https://f1446783-98c4-4632-a448-8544af977637.filesusr.com/ugd/60e703_995d1dd24d0f45bda041c1199feff83e.pdf?index=true
    • https://b2cfbf22-33db-4cc0-9538-7fa784e132db.filesusr.com/ugd/3cb679_e5500523ca8a4f1db7921b6d31ab3994.pdf?index=true
    • https://e076ef6e-1b65-47a8-861f-2fbf4a27e723.filesusr.com/ugd/4f270c_2adcf32f566348ed9e13c2dd471d8f25.pdf?index=true
    • https://f60d48f1-2051-47a4-92d7-8b7a1d66d082.filesusr.com/ugd/d17951_e801151b21fb403392df152a9c8bf7d5.pdf?index=true
    • https://94043f5a-916e-4692-97e5-f45ef7981586.filesusr.com/ugd/12f4eb_d230f5c7ed664339955a8aeefd007bb3.pdf?index=true
    • https://17237550-19bf-43a6-b500-4978f7a0d64d.filesusr.com/ugd/69a512_1ff54d7a7af44ea6a511758115d56a19.pdf?index=true
    • https://33e8ac37-8d84-4b5a-9cd5-3f14237d2ed5.filesusr.com/ugd/9374a7_5a21c1b6aa4f48be9589d0dbd96c0dbb.pdf?index=true
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d1d.bin
048fb1891f432488516cd811e7b04d68e7d39e548ca3495625137f8fb0c23ff4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D1D 6744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.