Malicious PDF — malware analysis report

Static analysis result for SHA-256 17983ad1b6fe3750…

MALICIOUS

PDF

52.2 KB Created: 2020-10-02 10:39:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-19
MD5: 1ddbe8e181d6e406e2a845d47e4ebfde SHA-1: ff2f86b586955d2dbf2588433f3da9b24645b3bf SHA-256: 17983ad1b6fe3750f5ebbb7d6b25bf7513938d227616954062637de9bb5843f4
184 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/pify?keyword=kyoukai+senjou+no+horizon+wiki In PDF document text
    • http://sivujixi.scottalanwarner.com/uploads/1/3/1/1/131164250/manepoxodikupesek.pdfIn PDF document text
    • http://files.lcrsc.com/uploads/1/3/2/6/132681559/guxatezatonof_ruxogowewu.pdfIn PDF document text
    • http://files.vierajrotc.org/uploads/1/3/0/7/130740624/muzijos.pdfIn PDF document text
    • https://site-1036869.mozfiles.com/files/1036869/59242938198.pdfIn PDF document text
    • https://site-1037169.mozfiles.com/files/1037169/55317146391.pdfIn PDF document text
    • https://site-1036807.mozfiles.com/files/1036807/wajuluzetamemud.pdfIn PDF document text
    • https://site-1037005.mozfiles.com/files/1037005/95448804298.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/0513/6024/files/3391753588.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/9224/9250/files/funejulomujutokewuvami.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/6578/9602/files/10726387667.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f276552-97af-4dc2-9343-bbe47fd68599/24259251951.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/482efcc6-13c7-44f1-96e5-795d4241533c/xafuxa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/49d18337-8d77-4d25-82f2-7cda4606fe3c/sabarozowexakefux.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4fe30832-bd2a-406d-9ba0-48f288e9b5de/kusexebekixoxetaniputodu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de5bb11f-554a-4a7c-8de9-01d8cd8f8538/ruketosigedunovadez.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c90.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6C90 10548 bytes
SHA-256: d4b9a6a031b60ce26cf5ffefcd19dfed3e216ca2988332d6d84153c9bbf03cb0
font_01_sfnt_off00008f47.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8F47 5092 bytes
SHA-256: b0ea973727226a05ae8407ef448a58212c57dd01f9df8efd22166ea112156ecb
font_02_sfnt_off0000a0b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA0B3 10256 bytes
SHA-256: 4e94a32879643e29fd7ba8b561d87e333497607bac77c4bede453711c3424fa8