Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ce6a29f37edd9bf…

MALICIOUS

PDF

42.4 KB Created: 2020-10-17 10:05:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-19
MD5: 1cc03b67a3e1dbea3f472a6e5e174b94 SHA-1: edba9b8e8fc4aaacb8cdc64632145f669441df42 SHA-256: 3ce6a29f37edd9bf6d113f3b38c4e6cea85a2c0190604497213ad15e93f8a26c
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/123?keyword=find+my+friend+app+for+android+download In PDF document text
    • https://balejumefem.weebly.com/uploads/1/3/0/8/130814467/9760646.pdfIn PDF document text
    • https://porelananov.weebly.com/uploads/1/3/0/7/130775759/bulibufusutenem.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369331/normal_5f8a40573e8d7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367278/normal_5f8a1c79f2830.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369486/normal_5f8880ba4e4dd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379032/normal_5f8a2b3b453b7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366989/normal_5f872a54844f3.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/59827d0a-6903-47e7-a0b3-61510e90b06e/vorizegunopoverawukaxe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bed031f7-5a2b-46e5-ad14-4bce26204c34/59556292686.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cdf819c5-3761-43ba-8921-782042ea7fca/kosixurelamodep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0c0edf9-bf20-4593-a80c-8adb4642d919/vutiwemamafarer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/815a6fd5-83de-421b-83d4-5d3251484098/17062807677.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/8622/6608/files/47442247344.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/9191/3632/files/salesforce_marketing_cloud_documentation.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/2501/4173/files/16619146056.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0463/2166/4160/files/psychology_in_modules_12th_edition.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/3173/1610/files/white_bear_lake_high_school_soccer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a14af763-d44b-4f47-b8d5-8d8e05de5ea0/nimeligulile.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/221d93da-8af0-411d-930a-6964567e53ba/34804144522.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9219e708-3f74-44c6-ab38-0abadee0d07e/dutuzufebuza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e125b4d8-c01f-45dc-b4d5-aa3be16bb558/xovikikiwujimag.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000677b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x677B 5156 bytes
SHA-256: c8f2d24f68b620888b8158bf66532851d765ccfe23df310482df8925fd506fae
font_01_sfnt_off00007903.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7903 10324 bytes
SHA-256: 47fa07ced6ea7d5748e0a7ae0a55a3134c9b987e5147ee65d7f9a067554f71c4