Malicious PDF — malware analysis report

Static analysis result for SHA-256 397a083736fbddc9…

MALICIOUS

PDF

48.9 KB Created: 2020-11-09 12:09:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-01-23
MD5: d8ee94d26dae44074b3c5277fbda6ac0 SHA-1: 7342615d325c2d02eff637ee7982d3b56670720f SHA-256: 397a083736fbddc969a6c0099b78f988fd38fa1376587a08d1cbff4d576a4e1f
136 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?keyword=umc+blue+card PDF link annotation
    • https://jivexine.weebly.com/uploads/1/3/1/3/131380908/de769.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381788/normal_5f8d7e937a59b.pdfIn PDF document text
    • https://rosojuvawava.weebly.com/uploads/1/3/4/7/134719385/5d5f6969e749bbd.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/162338b3-d5b2-4b5d-bc1e-281b703a6835/captain_marvel_2019_putlocker_1080.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0bc0d24-478d-4a2f-ad09-e44406110e0e/nefisunitelev.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f1729f0e-4eb3-4d3f-9221-5dd96b535ae9/povejexe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7ec4e886-5bda-4483-8a7e-8e0b49212e51/joveniw.pdfIn PDF document text
    • https://s3.amazonaws.com/napejaxosinages/54024575387.pdfIn PDF document text
    • https://s3.amazonaws.com/mozirolinitaje/redeem_codes_in_gangstar_vegas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/df7ede2c-f4da-4ea3-9ef3-93bd074f1e75/ue4_accessed_none_trying_to_read_property.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fafd9189-4b3f-4679-aa47-ae719f131f8e/unblocked_games_66_at_school_learn_to_fly_2.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92078baf-bc13-4fbf-8025-5232543c0527/carmen_brannan_lucedale_ms.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/43e05914-a069-40df-b5cf-ef0a1aa42c68/vekafevojimato.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de435760-2e54-4394-97a3-f603dfdf0e6b/15122304650.pdfIn PDF document text
    • https://s3.amazonaws.com/zaxuledo/gamobenisebisovunezul.pdfIn PDF document text
    • https://s3.amazonaws.com/muxegeza/34615042422.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a6fb932b-a614-491b-8521-c3b14dfc4d51/the_young_elites_epub_download.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007df4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7DF4 5036 bytes
SHA-256: 31a5df5a0950a8f3acfc7119349f26c1b9a750be2ab3f9e1aff0a40ea617515a
font_01_sfnt_off00008efd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8EFD 11268 bytes
SHA-256: 175185a70fdd661083e4006ba2792caf14cf3e98d47301a975c852ff51dead96

Open this report in the interactive analyzer, or submit your own file for analysis.