Malicious PDF — malware analysis report

Static analysis result for SHA-256 c999ff805e2da0ba…

MALICIOUS

PDF

38.6 KB Created: 2020-09-30 00:07:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa43569c20166edc25f0067013b65489 SHA-1: 35bdcbba2cda02b2ba5e630d8a629cc2720ce7eb SHA-256: c999ff805e2da0ba75cdab5753f35df11f3b43de37e0ca134b746b1ed8ac68f3
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a known malicious infrastructure. The document body, though heavily obfuscated, contains text suggesting it is a "Cancionero para guitarra boleros pdf" which is likely a lure to encourage clicks. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=cancionero+para+guitarra+boleros+pdf
    • https://site-1037096.mozfiles.com/files/1037096/faparinax.pdf
    • https://site-1036681.mozfiles.com/files/1036681/pufuwuzizozavovife.pdf
    • https://site-1037202.mozfiles.com/files/1037202/tipinamavorezonaligutef.pdf
    • https://site-1036759.mozfiles.com/files/1036759/45598791257.pdf
    • http://bufugidot.kawarthalacrosse.com/uploads/1/3/0/8/130814238/balirulojuwotelip.pdf
    • http://files.endviolence.org/uploads/1/3/2/7/132712593/rikadafosasujitazev.pdf
    • http://livame.packrafttable.com/uploads/1/3/0/9/130969690/zuvefux.pdf
    • http://poduluj.scsurfaces.net/uploads/1/3/1/4/131453293/xevumopuse.pdf
    • https://uploads.strikinglycdn.com/files/34198a62-0b2c-4b86-a6c7-a5c763a3e617/dawedibidoxexenelux.pdf
    • https://uploads.strikinglycdn.com/files/3b25ab00-52ec-4eb1-87b8-ee921e1f69f1/9849321302.pdf
    • https://uploads.strikinglycdn.com/files/06d24f2f-8ce0-4927-84a5-8294edfe50d8/85535503947.pdf
    • https://uploads.strikinglycdn.com/files/6e19fe03-9448-49ae-8f97-594643898fd9/kaxovutejenaxagoto.pdf
    • https://uploads.strikinglycdn.com/files/bc735c77-f4cd-47c2-9793-6f2321270b93/60920908085.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005518.bin
1be6c04dea383c246a577a23fb096db912161342961c1de2af7e011938c8dda9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5518 5368 bytes
font_01_sfnt_off0000675b.bin
04258af09dad651a82e3a2ca072d3ec0ef5a83c32ea7d8ce9f2717150a4de821		 pdf-font-stream PDF embedded font (sfnt) at offset 0x675B 11296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.