Malicious PDF — malware analysis report

Static analysis result for SHA-256 dff6ccdc928f94e0…

MALICIOUS

PDF

43.7 KB Created: 2020-09-03 08:26:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 98be8a391de3c1b592006ffa091693e5 SHA-1: 56dfdb26c977d9bc735a1fbc8ba948614e60ea86 SHA-256: dff6ccdc928f94e00ac4967dd3c62c9d91c038f7886d0a0aea3519733a62afe1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with one prominent link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to a 'charging dock for iphone and android' and the malicious URL, suggesting a phishing lure for a fake product. The PDF was flagged by a machine learning classifier and heuristics indicating malicious redirector links and a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=charging+dock+for+iphone+and+android
    • https://static.usrfiles.com/ugd/76b6de_ea61b0423f5d4412875d99693f03a616.pdf
    • https://static.usrfiles.com/ugd/d1c05f_b56553da77764ce4988c080d117ec8de.pdf
    • https://static.usrfiles.com/ugd/a771bd_2337f56c2e0d4c8589f6af7970513e17.pdf
    • https://static.usrfiles.com/ugd/2ca09c_5e05e36d71924a25a598f8d8d94262ba.pdf
    • https://static.usrfiles.com/ugd/314c35_9e51e55f6c9f4e9fbee4157f18f3cf7c.pdf
    • https://static.usrfiles.com/ugd/b8c837_9ffb668673f54508b1db11e53141ba55.pdf
    • https://static.usrfiles.com/ugd/b8c837_11f7ecd756004282906389a3974d8e0e.pdf
    • https://static.usrfiles.com/ugd/eb6612_ead7002a39204898beb8b29b1a04690e.pdf
    • https://static.usrfiles.com/ugd/eb5a6a_02561cefe5724386a5bff0833a0fec80.pdf
    • https://static.usrfiles.com/ugd/590778_d5558928a93841378c78eaa4fbbcadc2.pdf
    • https://static.usrfiles.com/ugd/7921d2_66c357ac68b747f8ab39dcb3f06bbfdc.pdf
    • https://static.usrfiles.com/ugd/b8c837_ccdd99dee19742eaaccc7bd74fa3b04f.pdf
    • https://static.usrfiles.com/ugd/b91566_2179decee39d48319c3c7fdc5d8ba7de.pdf
    • https://static.usrfiles.com/ugd/b41a9a_51c970ff2ab44481b199dab87bba5355.pdf
    • https://static.usrfiles.com/ugd/7d1dc9_a4715c891fb54e528835961b8546e132.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c95.bin
88e9a47acc7a2b9593f8d0426dbdbed56fa7cfd3dcf4d9e42734d86a53da7b39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C95 5176 bytes
font_01_sfnt_off00007e30.bin
fb9858421a4ad9e7157b40116e1114d0657ddb58597b90e7f3de3a73ebc8a3a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E30 10452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.