Malicious PDF — malware analysis report

Static analysis result for SHA-256 3410b8b75be1cac9…

MALICIOUS

PDF

45.2 KB Created: 2020-10-28 07:57:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: 68682728c90d7154f4cc482feb34a855 SHA-1: 3907b798067e899b3a7b952e2e5b3c4697a23659 SHA-256: 3410b8b75be1cac94fa410a93a18cbef03398c958aa662fa11a634ad8b12d9b8
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/123?keyword=nkda+medical+abbreviation In PDF document text
    • https://jimagofer.weebly.com/uploads/1/3/0/8/130813953/xuzofemakibodan.pdfIn PDF document text
    • https://meboguvogo.weebly.com/uploads/1/3/1/4/131437667/teribegob.pdfIn PDF document text
    • https://gewosawoma.weebly.com/uploads/1/3/0/7/130739201/32b7ccb172f2.pdfIn PDF document text
    • https://wavuvavezexa.weebly.com/uploads/1/3/0/7/130775629/d670d9a54.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off0000741c.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off0000741c.bin)
    • https://uploads.strikinglycdn.com/files/a153718f-5717-498b-986a-bdf2ca278ec1/dunikepigegag.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/64407af3-aea2-4e99-8270-056391581f1e/herbs_in_the_bible.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/64713e5d-6d4d-4fd5-91f0-273a3362f078/28193716651.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5963e5c0-029e-47a3-99db-f14fedae50d9/83547045084.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6a350336-713e-46b9-9e10-b1a4efec31f3/41778843896.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db0dcd79-6c49-46c6-a4e7-107e7002f919/lon_po_po.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8304496-367e-44c3-9826-60b99d2a5741/16055872434.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2e791c41-b392-4bad-bf94-53b9e92d1402/nevezusanagixilelegizetiw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92ecdda1-55c6-4065-a1ed-15478b034a9c/jevorebowopadubuvuju.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8a984e5-e520-43ef-8309-24ba32ed2f10/past_perfect_simple.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/462c0f7a-8bed-48fc-9bee-ddf9fe22d36f/27208611061.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1a33f81b-679f-4822-9100-3ae731aea774/lagulo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e450fa23-c60f-4b31-803f-b41b6cdf4184/korefob.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7698342c-4c42-43ff-89e4-6416889659dd/68750797291.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a3868838-c49d-4764-a2e3-9036a66bab0c/6105938738.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d454224b-92cd-4e92-9529-95810fc5d8ca/netim.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/1155/3473/files/xuloja.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0505/8628/8296/files/over_the_air_tv_guide_mesa_az.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/5464/0537/files/88530565171.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/5095/6960/files/5696705909.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off0000741c.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000741c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x741C 5140 bytes
SHA-256: cd9d0ef3bd9e9550de7c8babda288aaa39e06a2e0427176fd6767e7f4ae00bbf
font_01_sfnt_off00008588.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8588 9960 bytes
SHA-256: 1d8698fbbe2053a87addc890fa9416400cd402e76af750c5f27543e1b2495030