Malicious PDF — malware analysis report

Static analysis result for SHA-256 036124dcef6a4ea9…

MALICIOUS

PDF

42.2 KB Created: 2020-10-15 15:52:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-02-02
MD5: c721c94a49759b5462c62458e4695cf9 SHA-1: 34ae3fbb978543d8cf3a149d93746ac7ae9ed4ac SHA-256: 036124dcef6a4ea961333c395f28d662674795c4a755f76828b95e62f2697159
192 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=napkinnate+mad+city+season+4 In PDF document text
    • https://cdn-cms.f-static.net/uploads/4366033/normal_5f86f91798419.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366660/normal_5f87c7eda4e25.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369932/normal_5f880259c8ea5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366305/normal_5f878c0f46373.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366984/normal_5f879a38f030f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366018/normal_5f876a1f68d05.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366031/normal_5f8703e24ff06.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369173/normal_5f87b651a93d2.pdfIn PDF document text
    • https://site-1038409.mozfiles.com/files/1038409/ladubopovinumifux.pdfIn PDF document text
    • https://site-1040399.mozfiles.com/files/1040399/vokefelezoxasa.pdfIn PDF document text
    • https://site-1048162.mozfiles.com/files/1048162/67278711239.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00007c1c.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00007c1c.bin)
    • https://cdn.shopify.com/s/files/1/0499/4374/0571/files/46851787884.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/3418/0769/files/ek_thi_daayan_full_movie_hd.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0485/3301/2635/files/empires_and_puzzles_hero_capacity.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/0079/3768/files/rajis.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0492/8189/2509/files/77862545259.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/7230/2503/files/tojebadinetelatub.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a3f1f503-6960-4d9e-8a85-7bcd59b6858d/25799061771.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c026ccb-59d0-4c7c-bf64-e231b430a7ae/votagafekafimogeluge.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d2b2899-37cf-432c-9bf8-6009339e00c0/60917092287.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e449e0f2-ff3f-4caa-b866-fbffac960646/zaguwarox.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/040ca30f-0c9b-4f97-813f-033bdcdafcc6/56615605522.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00007c1c.bin)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c1c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7C1C 5312 bytes
SHA-256: 15a01a186f105e4ffd1056f07d8d2f74abe997fbd89f1c6a741697a5f9d7744c