Malicious PDF — malware analysis report

Static analysis result for SHA-256 23261a492f3df515…

MALICIOUS

PDF

72.5 KB Created: 2021-02-09 03:55:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10
MD5: 5fef65291603325fb19a34ec698e8d02 SHA-1: 80023f8e4aadc8009295138e18f9ddd49f1e15e2 SHA-256: 23261a492f3df51509379b1838552919ffe4882f81f28966488db556705b4eab
184 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/wb?keyword=chrome%20apk%20for%20windows%207 In PDF document text
    • https://wokawopirajer.weebly.com/uploads/1/3/3/9/133999547/7469109.pdfIn PDF document text
    • https://cdn.sqhk.co/pidefatop/8jeoge0/star_realms_kickstarter_high_alert.pdfIn PDF document text
    • https://xuzuvakewose.weebly.com/uploads/1/3/1/6/131637797/592701.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448558/normal_5fd64e9f8ab3d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495846/normal_5ff4f5bd13f5b.pdfIn PDF document text
    • https://cdn.sqhk.co/ralapogifur/bgehc4z/english_stories_offline_app_download.pdfIn PDF document text
    • https://cdn.sqhk.co/tefulobesa/xjhiek4/nadefelosedaxusujepenave.pdfIn PDF document text
    • https://tigobatimomovo.weebly.com/uploads/1/3/2/7/132740361/wujapijugora.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4379046/normal_5ffe90b8c940a.pdfIn PDF document text
    • https://cdn.sqhk.co/vipikunowi/cSP3iht/29422386281.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://sofijorube.rf.gd/aptitude_test_for_job_applicants.pdfIn PDF document text
    • http://wimifus.rf.gd/lubakododujamabe.pdfIn PDF document text
    • http://mirepili.epizy.com/south_movie_2018_new_hdvidz.pdfIn PDF document text
    • http://monudaduxafe.epizy.com/nozun.pdfIn PDF document text
    • http://sazurukoxoje.rf.gd/just_cause_2_game_guide.pdfIn PDF document text
    • http://tuzodunewawet.epizy.com/56878091784.pdfIn PDF document text
    • http://vebegab.rf.gd/28832310619.pdfIn PDF document text
    • http://xikisefux.epizy.com/80082532371.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc23.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDC23 5392 bytes
SHA-256: 3f62b63ca2e44a2a3503b7ca6a2bb81e04565af991ae3b0d4c98fadc667394e4
font_01_sfnt_off0000ee63.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE63 11416 bytes
SHA-256: 1e4de8d5e185b27b0b6257e1a6996911b545f15c1419d4238b81b5ef7915bc7a