Malicious PDF — malware analysis report

Static analysis result for SHA-256 02ca1b53e1207032…

MALICIOUS

PDF

65.0 KB Created: 2020-10-25 08:51:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: da1106da6c68b22dee31b1131f4d54e7 SHA-1: 7e66e110175eaddba6d91061f0b3ad5ae81d2b1e SHA-256: 02ca1b53e1207032462571006223341e86a7d4551bb6d7c812d632c551d63969
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=espacio+biologico+periodontal+definicion In PDF document text
    • https://cdn-cms.f-static.net/uploads/4366385/normal_5f9354d9a36b1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368952/normal_5f89b76d1f76c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373776/normal_5f88cce4ba26f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371553/normal_5f88752b17a19.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367013/normal_5f8c698b08679.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off0000bba2.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off0000bba2.bin)
    • https://s3.amazonaws.com/jenisozazewubo/kosedilenevozepujo.pdfIn PDF document text
    • https://s3.amazonaws.com/fejififimaketo/all_of_me_lyrics_and_piano_chords.pdfIn PDF document text
    • https://s3.amazonaws.com/jenagubadopi/38101578092.pdfIn PDF document text
    • https://s3.amazonaws.com/migivewuwe/grammar_english.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/1264/4251/files/apa_psychology_ethical_guidelines.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/1473/3480/files/deck_heroes_mod_apk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6144bedd-c96e-4f80-8133-1aebded7e0d7/voginuve.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3333184f-0df4-4851-a37a-2acd738c676a/6751364372.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ea73ddb-7d6d-46ab-91fb-f07e39944ab7/69173814852.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2410ca4a-3cd9-4d23-b228-9973e48418e0/11086458617.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/84ad1719-f857-4102-a02f-04cc71f3ce30/9076473268.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7a1c00da-c304-4636-ae64-e37fc51f77ed/85517626405.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b109576-607a-4117-9cf3-4452f66d08c4/guwumosumofiwifuku.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b51a36f5-ced5-455a-b96b-3ed1a506779a/83349931172.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8dffa3a-a385-4439-a22e-d13820be9f9c/66980556574.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c84d1ce0-705d-4b6b-ad9d-99cce645fa0b/high_electron_mobility_transistor.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8290fe41-f9e1-42db-8c91-3ca7abd59231/glass_sword_series.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off0000bba2.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bba2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBBA2 5420 bytes
SHA-256: 10e5860a605000353349a9eb31ca0c4a6c64daa72492b1f210ebd8a62e17a648
font_01_sfnt_off0000ce17.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCE17 11836 bytes
SHA-256: 5a336f2c3fdf29487c46822b83613cbc75d3fcaa43db3c80b54ae29dcefd9f2c