Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bcb962fbdcee255…

MALICIOUS

PDF

46.1 KB Created: 2020-10-29 10:11:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: 58490d41cf3647b713020acb65225ff8 SHA-1: 52940f10d982d974c42f85dba3ab259b8d7d9589 SHA-256: 2bcb962fbdcee255ca176eb8e1888814fe0d96bd340ee5f124d924212ab3cdce
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=aug+airsoft+parts In PDF document text
    • https://moxoviwepikiwu.weebly.com/uploads/1/3/2/8/132814726/e9a13bdc.pdfIn PDF document text
    • https://kozezivu.weebly.com/uploads/1/3/4/4/134444222/fea2e3502ea2.pdfIn PDF document text
    • https://zafigitelerom.weebly.com/uploads/1/3/4/3/134338481/2203323.pdfIn PDF document text
    • https://risimukino.weebly.com/uploads/1/3/1/3/131383953/dofopo.pdfIn PDF document text
    • https://tedumuwoke.weebly.com/uploads/1/3/1/3/131397970/nutisago-tuwum-sokilo-zodegabikagopok.pdfIn PDF document text
    • https://lorebigida.weebly.com/uploads/1/3/4/3/134377432/dasopesuxipidowerade.pdfIn PDF document text
    • https://vasedowazapen.weebly.com/uploads/1/3/4/3/134320052/mugomatag-garom-wogiluvovadeba.pdfIn PDF document text
    • https://gujibimusexuwub.weebly.com/uploads/1/3/4/0/134042380/3249b6ab2346.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_01_sfnt_off000070a1.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_01_sfnt_off000070a1.bin)
    • https://uploads.strikinglycdn.com/files/9809a911-f17f-4005-bf1c-141e127cfd67/podumelemowopezokiramozid.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0436/3550/7358/files/tesowutatifokuw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/67ea3493-4b2c-4b2e-a34a-357ea4a87248/logikejotijolojodizi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b7e8682-fc0a-486e-9acf-d18c6d60c227/bamusiradubumizuleken.pdfIn PDF document text
    • https://s3.amazonaws.com/wilugugo/firewall_and_internet_security.pdfIn PDF document text
    • https://s3.amazonaws.com/wogikokuzotaxa/bivujenisasexawitagotivel.pdfIn PDF document text
    • https://s3.amazonaws.com/saziwijaxodav/zasonorupiwujovenesefir.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/2022/5176/files/facebook_messenger_download_for_android_2.3.6_apk.pdfIn PDF document text
    • https://s3.amazonaws.com/votubukaxogilix/zupanuloda.pdfIn PDF document text
    • https://s3.amazonaws.com/purixifusipelid/microsoft_excel_test.pdfIn PDF document text
    • https://s3.amazonaws.com/retobifulipo/jars_of_clay_flood_release_date.pdfIn PDF document text
    • https://s3.amazonaws.com/leguvefu/1325602315.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/5978/1023/files/compound_words_worksheet_grade_5.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_01_sfnt_off000070a1.bin)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000652b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x652B 3220 bytes
SHA-256: 2eafb78263b957cbc5a8cbdc482c6e0e160326e3c94edb7ff63dc66a50697da4
font_01_sfnt_off000070a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70A1 5028 bytes
SHA-256: 62bda9ef6d33d87f41a6809ce5f4d262c8502d7e22555a9558ea805e87aafd99
font_02_sfnt_off000081d2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x81D2 12624 bytes
SHA-256: 581ed26648fb5a1e99836ebea782baa4c341a660099cd9db42b73fe9caee8615