Malicious PDF — malware analysis report

Static analysis result for SHA-256 02d0c2f68f5b83d1…

MALICIOUS

PDF

54.4 KB Created: 2020-10-11 21:42:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10
MD5: a7bbf1eee202eb994663ac8cd0693218 SHA-1: 4440d1d626c7e81a495fb77c4ce038a9f46933fb SHA-256: 02d0c2f68f5b83d1cf4be6a92b8a7749dff6f11daf6d4020279016e8e98d844f
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=odile+fernandez+libros+pdf In PDF document text
    • http://laladoniw.impressionsbychelsea.com/uploads/1/3/0/8/130813330/genufar.pdfIn PDF document text
    • http://rijojor.halffastadventures.com/uploads/1/3/0/7/130738531/lojotolef.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/51e2c03b-c6e8-4b2c-950a-6f754e1d46f9/mebefilezilawokiba.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6a5cea36-16b9-454e-b6cc-d6b029227629/gataregewapanupo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c84b9708-8e44-4491-b5f9-6eab743424ec/bidabijobetiboruxujetij.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a8af3aef-b2d5-4474-a05f-6b1327069776/kipuzijuwevafolinanipesox.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f7fd1124-5936-46c4-be9a-0d10e0fe5366/28688785890.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e24826d2-3c76-44a1-a72d-ff9d9c66ebc6/vuzibikumokozetexe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c2aba25-8795-4267-8cb5-6630df0aea3f/remosu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/13f04b4a-1766-4b05-89b4-bc9b6b55bb66/51166513307.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d36e2e5a-39a2-47c1-844f-d662b03a82ad/6676837912.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/786cfb78-b773-4bce-b50f-a1a1ef4adfca/59741121750.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1e4a16e9-4981-460f-ba9f-e4b03d70eca1/13133331205.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000080d2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x80D2 5252 bytes
SHA-256: a31999fa78930139701a03020a895262d5ce9df26de328ea1c70f196470ce854
font_01_sfnt_off000092b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x92B7 10892 bytes
SHA-256: 227a07633d7a18ff67ba0fd3c8b73976a4ca361eaa6375d245de068df51db280
font_02_sfnt_off0000b7e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB7E4 16120 bytes
SHA-256: afef7078cb2df19c3af6e0a290a1e91943695396d6c8eacc2b40ed28c0b27951

Open this report in the interactive analyzer, or submit your own file for analysis.