Malicious PDF — malware analysis report

Static analysis result for SHA-256 1854e5e2786d20a7…

MALICIOUS

PDF

39.8 KB Created: 2020-11-08 20:54:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-01-23
MD5: dbd12a24ba5ae7c31637a537efc6c584 SHA-1: b01adaf5e345f40370417bf64838a1d43641af20 SHA-256: 1854e5e2786d20a760d2e88f13e75cdb602083c277190542506b38513f9894c2
76 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?keyword=7-2+practice+similar+polygons+answers+page+15 PDF link annotation
    • https://jimagofer.weebly.com/uploads/1/3/0/8/130813953/jiladux-fatowoxev-lebamomumarim-piwifakixem.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371786/normal_5f934a01a0b33.pdfIn PDF document text
    • https://mogijoduvide.weebly.com/uploads/1/3/0/8/130814471/fa37bfd.pdfIn PDF document text
    • https://vafumigoku.weebly.com/uploads/1/3/1/3/131384305/bezodagupu_nomamepo_kagexagojo_bikafusixer.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408460/normal_5f9612d8b1f0c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388289/normal_5f9b3a574339f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/tipikaxe/15017334179.pdfIn PDF document text
    • https://s3.amazonaws.com/sugaguxagu/zofabudorolasaxawezewe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8611aa2b-a1a5-4181-aa35-09442534c955/41363475616.pdfIn PDF document text
    • https://s3.amazonaws.com/pazifetanegapu/42724592337.pdfIn PDF document text
    • https://s3.amazonaws.com/teximikamukubo/chess_for_beginners.pdfIn PDF document text
    • https://s3.amazonaws.com/felasorarabipis/48960836293.pdfIn PDF document text
    • https://s3.amazonaws.com/xisefowu/american_english_file_3_teacher_s_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/228df072-0d67-4860-918c-b648ef2a34e1/what_eats_volvox_algae.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004420.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4420 5772 bytes
SHA-256: de910f023323566199850d6ba5341ecae03f63a6548749818c4c9d91bf959430
font_01_sfnt_off000057df.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x57DF 10376 bytes
SHA-256: 41aa6bb9f5f30025773cf62aeb393beea8828e99d4e32689cf88a8f1d03ab8cb
font_02_sfnt_off00007b87.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7B87 16448 bytes
SHA-256: 3f7f6beb0f5865f83039c8434023d34048916fbab515aea8bfee4d6c7e3f3101