Malicious PDF — malware analysis report

Static analysis result for SHA-256 32e43da2f8435d85…

MALICIOUS

PDF

39.3 KB Created: 2020-10-18 23:12:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-02-23
MD5: f500af1a43b3582e08745f007eb0392b SHA-1: d1e166006231526d51a1ce257c6fa7402da6355c SHA-256: 32e43da2f8435d85a331a97879ee9c3afb2c5f1a140958ead4b321df39b9e289
182 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=kevin+lynch+good+city+form+summary In PDF document text
    • https://cdn-cms.f-static.net/uploads/4374013/normal_5f8a93d5aefa9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372723/normal_5f8a89c5e9a5c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369651/normal_5f892b4da0ec2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366007/normal_5f87b4bcbc088.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366325/normal_5f87271762e3c.pdfIn PDF document text
    • https://wepugimi.weebly.com/uploads/1/3/1/0/131070973/4535287.pdfIn PDF document text
    • https://jivexine.weebly.com/uploads/1/3/1/3/131380908/zakamasuxepas-munitokupa-xumuxawi-mezidaf.pdfIn PDF document text
    • https://vuzevarezevarot.weebly.com/uploads/1/3/0/7/130740461/ed77146280debe4.pdfIn PDF document text
    • https://jakedekokobara.weebly.com/uploads/1/3/1/3/131381480/zanadutut_wexudafenatogun_jetomefoja.pdfIn PDF document text
    • https://pevugubak.weebly.com/uploads/1/3/2/7/132740457/zevoginagetutag.pdfIn PDF document text
    • https://xumogimunosu.weebly.com/uploads/1/3/1/6/131607683/besosuror.pdfIn PDF document text
    • https://narogigadi.weebly.com/uploads/1/3/0/8/130874066/5262212.pdfIn PDF document text
    • https://kelobutino.weebly.com/uploads/1/3/0/9/130969458/5d5b6.pdfIn PDF document text
    • https://dokakida.weebly.com/uploads/1/3/1/3/131380589/muwovufi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ea68489-97e9-4fec-8fcb-9e0c90b2516d/92513516521.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50ea7671-0cee-4df5-b1a4-c14a54f49d79/86946170277.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/85d016b9-8ce0-400c-bcbe-f0d8660732e3/bexadupavederafuzikono.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9473e845-8394-466d-9d7c-32d6b099e1b9/forza_horizon_3_download_size_pc.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b2547701-9154-445a-9f78-d6e39f455cf9/lafamaleledofoja.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/15c7fbbd-1f35-4945-9124-cff2e55bb7e9/37875592197.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb3da472-103e-4c13-b900-89d01b2a1173/tudatofu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5c267fa2-e739-48d9-93d9-edf44e1a9580/46880545078.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c64db6b4-154b-4067-847c-7f54ffab2c9c/somazajelakiratubi.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b11.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6B11 5568 bytes
SHA-256: 628b46a70c0c440c0d6326213994e97d23045f63595363469f299321f1552507
font_01_sfnt_off00007de0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7DE0 10224 bytes
SHA-256: a0a942b21ca36825f93366889e441b66e460ec37f8cffffabe4ce73680427bf2

Open this report in the interactive analyzer, or submit your own file for analysis.