Malicious PDF — malware analysis report

Static analysis result for SHA-256 423a3ef34efb23c6…

MALICIOUS

PDF

50.5 KB Created: 2020-11-08 06:58:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-01-23
MD5: 8dede9e9fccfcaf4923e944845a84fba SHA-1: 080fae705fdc3f624a0c9801a1c973464e5350fb SHA-256: 423a3ef34efb23c6e5019ea4f0478a4e9c50db10839ab5e531406e67aafc1cb3
136 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/aws?keyword=what+are+congruent+angles+equal+to PDF link annotation
    • https://suganolorifumu.weebly.com/uploads/1/3/0/8/130814011/2aa778649b8.pdfIn PDF document text
    • https://basuxebuj.weebly.com/uploads/1/3/1/3/131379820/8388765.pdfIn PDF document text
    • https://gobumireg.weebly.com/uploads/1/3/1/3/131383916/tikisiruvevaxa-buveret-zavolosusedub-nuzokejugaboga.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462038/normal_5fa75fe011401.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365649/normal_5f8918ea19140.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a894e768-3e9a-43db-a15e-671ee703ec31/citizen_rankine_summary.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/562e819b-5c94-4c7a-9b77-9b6c59eac8ce/43959381345.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/52f97f0e-f8b6-4918-b47f-d066633e2b15/gogolejilomifividaradam.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e50d7b64-2b4c-472e-a90e-4dbf4d7522c2/23586661594.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fdfb80e9-c6b1-47ed-93e8-f50d8255b8e3/black_and_decker_18v_battery_charger_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/86d4065d-7850-4609-859e-d5823b2a7af7/wusosazikudulivofunovo.pdfIn PDF document text
    • https://s3.amazonaws.com/pazifetanegapu/101_weight_loss_tips.pdfIn PDF document text
    • https://s3.amazonaws.com/leteraxewe/99015052545.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6ec32215-e0cd-4949-8451-951394b485c9/lodufuzowebukidoza.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70C7 5200 bytes
SHA-256: f078fead09326c114912620131e072c9cec1f8858e3e0734edb9dd7e18253d67
font_01_sfnt_off0000827f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x827F 10624 bytes
SHA-256: e22337a11fab106642b9fecee9e0731a5fa5111eb22f3e9ade192df4909e703d
font_02_sfnt_off0000a6fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA6FD 16256 bytes
SHA-256: ff524c1c6f1920e7ce88839a21ecb67c2f405117423b0e187d8b8241881af3bf

Open this report in the interactive analyzer, or submit your own file for analysis.