Malicious PDF — malware analysis report

Static analysis result for SHA-256 0973ff2013f80d8a…

MALICIOUS

PDF

35.7 KB Created: 2020-10-16 18:40:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-17
MD5: 5b673878539736d51e8b726990df3eb7 SHA-1: f2b22cf3c6eeab7f452f21efecdefd04eb5dc51c SHA-256: 0973ff2013f80d8ae12bb4434709836a7996cd48ea88a6f020f61bbdaad5d089
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/123?keyword=ifrs+16+2020+pdf In PDF document text
    • https://viweposedijul.weebly.com/uploads/1/3/1/0/131070314/wijefizamomow_suvezelowegat.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366007/normal_5f871921b1e21.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366011/normal_5f86f6356e36c.pdfIn PDF document text
    • https://godadonalizubo.weebly.com/uploads/1/3/1/4/131437317/notumefozekuxeg-rujaniludejad-lipivupeb-duruwus.pdfIn PDF document text
    • https://nanorobudilason.weebly.com/uploads/1/3/0/7/130775181/d28701f.pdfIn PDF document text
    • https://besiwalufeg.weebly.com/uploads/1/3/2/6/132696214/mokivo.pdfIn PDF document text
    • https://genigudepa.weebly.com/uploads/1/3/1/0/131070712/bagatazojiz_sidatasofugugor_sofaxazute_gureluf.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0268/8309/6750/files/specimen_surat_suara_dpr_ri_2020.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/0893/6094/files/62492714840.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0476/7793/1686/files/wooden_armor_terraria.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4ed9969a-5a83-47b0-91b5-af505d1e1ab5/pugezonoxudulamanofop.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f192d4ec-215b-459d-a57d-e17a5bc86a18/zexusafiwoximebi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a95716dd-7d79-4edc-94a8-9655c2b4303a/patolaxomabopuxifiwixu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e645dc26-4c17-464f-8bd5-148dc31cd979/bojefebiwovebaxemo.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0436/4884/3929/files/natural_spider_killer_vinegar.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/6104/3605/files/jonathan_beach_club_dress_code.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/1827/0905/files/bamotegukekapimodupumuzi.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0501/7183/8643/files/52881739409.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e9f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4E9F 5208 bytes
SHA-256: 184f245ba0d906afc394a157934f50ea4125f880b43db066e600c40e9e40f0c8
font_01_sfnt_off00006062.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6062 9876 bytes
SHA-256: 6cc16ce4b8b914f1620404606d15518bebaabccdc5f905b2aff0a88a6be80e38