Malicious PDF — malware analysis report

Static analysis result for SHA-256 ace264ec6487dce3…

MALICIOUS

PDF

38.6 KB Created: 2020-08-12 12:04:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b788ad548e2dc57838e31e9aefe33d8a SHA-1: be63533cee49d1f8bf7314decae3ffcabee2ce58 SHA-256: ace264ec6487dce3a0ad8de54b9439afd3f7ed594539071bc4cbc722f232d3b1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to sheet music and the malicious URL, suggesting a lure. The presence of many external PDF links indicates a link farm strategy to improve search engine ranking for the lure. The primary malicious IOC is the redirector URL, which likely leads to further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bohemian+rhapsody+piano+pdf+jarrod+radnich
    • http://files.loveletters.website/uploads/1/3/1/4/131454098/8211979.pdf
    • http://files.karensartzone.com/uploads/1/3/1/0/131070859/8516276.pdf
    • http://files.shadowcaststudios.com/uploads/1/3/1/4/131453484/pasixu_rajepekodug.pdf
    • http://files.zportman.com/uploads/1/3/0/8/130874627/nejajedozufejanoxifi.pdf
    • https://cdn.shopify.com/s/files/1/0431/4185/7448/files/61456914165.pdf
    • https://cdn.shopify.com/s/files/1/0435/5804/3807/files/cinema_4d_rigging_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0431/2278/6466/files/65688819141.pdf
    • https://cdn.shopify.com/s/files/1/0434/4827/1000/files/padigudok.pdf
    • https://cdn.shopify.com/s/files/1/0438/0898/1152/files/map_of_the_world_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/7316/6744/files/losoxuvizagofuf.pdf
    • https://cdn.shopify.com/s/files/1/0428/1712/6563/files/nazuximusijimiwarav.pdf
    • https://cdn.shopify.com/s/files/1/0430/6799/8359/files/94813212586.pdf
    • https://cdn.shopify.com/s/files/1/0434/2058/2050/files/7876558763.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/72707516801.pdf
    • https://cdn.shopify.com/s/files/1/0429/2778/4095/files/gipewewibedopafikotifa.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/datumaf.pdf
    • https://cdn.shopify.com/s/files/1/0432/9163/9968/files/wibasov.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005412.bin
06f95be49ae6ae3651ee0cd3253cec44406b3cf1b6be1fcf9abb1d606abd6334		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5412 5588 bytes
font_01_sfnt_off000066f4.bin
88481665a9349cf2e6ab13e84457ce7af90d8c8fe2cbf7bd6140c9545bd75a07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66F4 11788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.