Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ffc3492f919c722…

MALICIOUS

PDF

45.5 KB Created: 2020-10-16 13:14:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: fe6b4696c47adb27a6c749602949847e SHA-1: de86f998de73b66a29a1811c183079f92fc5a086 SHA-256: 0ffc3492f919c722ba684018b73137fa680e04ed429fc519e4a4751986cf3460
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=worksheets+korean+language In PDF document text
    • https://fuparududewon.weebly.com/uploads/1/3/1/8/131856041/degogedego-dojidetudi-zuwixeva-wedupojopofege.pdfIn PDF document text
    • https://guwomenod.weebly.com/uploads/1/3/0/8/130873843/budup_muruketika_befusijago.pdfIn PDF document text
    • https://zuxuzesis.weebly.com/uploads/1/3/1/4/131438019/4675241.pdfIn PDF document text
    • https://gadigode.weebly.com/uploads/1/3/2/6/132680949/xagoxik-perufuvov.pdfIn PDF document text
    • https://vafuzetok.weebly.com/uploads/1/3/2/7/132740798/rafof-kabipukodukamob-surefexot.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://cdn.shopify.com/s/files/1/0268/7497/0286/files/26528089459.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b18929c-eca4-4373-8f55-cb7de7999aa8/15726838328.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a258f33a-bab3-4db9-a8f5-b3bd39cd50ae/16602564700.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b28d208-593b-4b1e-9658-8b69406e88f6/ginesalumajuzusumosa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5819a47d-9fb8-4379-9dd1-ddfe3b44bbc3/jimukasubu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/26091d43-2ae4-4ebc-99b3-9a8a7fd23169/tadadupuni.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f393924d-26aa-42b6-b892-398ec1fda335/sudiru.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3d08d21a-2114-4a5e-8da5-feab0054d2b3/55088567836.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ee11af3-8bb4-4baf-badc-6ea277c1e66a/tudanufuwukozaloxizelom.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/06a867af-e91e-4c12-a3f5-78d8b335d3d2/7800056150.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4561e0c3-5b51-462d-beb4-ce16cb2f3ed4/48639295838.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x68BE 4856 bytes
SHA-256: 7f4e11e3f779d4afc363b8fc01395e8b3f7f2e4214163d45613b751ced03f065
font_01_sfnt_off0000794b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x794B 9744 bytes
SHA-256: f4cc1a59535c3079b2b240756722b235cf563cd421ad5de817491d867f2dc4e3
font_02_sfnt_off00009abb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9ABB 4324 bytes
SHA-256: cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34