Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c231b3fa5fbe39b…

MALICIOUS

PDF

44.2 KB Created: 2020-10-01 15:40:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: 404f13f8b3e95e09345270b884c89d49 SHA-1: 712b907b1471a2be1bca760a08a92c5d410d7cc7 SHA-256: 4c231b3fa5fbe39b481bb79938e76619983425375975942c22a38a1f82e8452d
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=ipl+2019+final+schedule+pdf In PDF document text
    • http://files.stjohnlutheranchurch.com/uploads/1/3/2/6/132682655/xojuwejuvexa.pdfIn PDF document text
    • http://files.ibteens.net/uploads/1/3/1/4/131409508/b3b2af4.pdfIn PDF document text
    • http://vawaxoru.scsar.net/uploads/1/3/1/8/131856705/9a004bac3ca4f.pdfIn PDF document text
    • http://files.norfolksquash.com/uploads/1/3/2/3/132303351/9593129.pdfIn PDF document text
    • http://muxalu.act-sat-tutors.com/uploads/1/3/0/9/130969679/2e92670419cb271.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/5464/7446/files/native_american_men.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/1807/9386/files/36387098204.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/0600/3864/files/ashrae_pocket_guide_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66021131-2507-4ce8-8e7b-8759bce14f9f/44975899917.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ceb4e97-5980-4573-a539-0bb38c26597d/29439862094.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/94a5abdc-5296-4b5f-b6ae-2256f0af3ade/86155526347.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8df5669-9ed7-452e-99a6-8b2c4c5be9e6/rozopijoxulefa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/26f525ea-e7ea-471f-bb34-2946a2affeae/19358581004.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8cd0e6fb-0d83-4fb6-af47-f93976e0042b/26227212589.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f42e8c12-aeda-4b60-806a-280cfc4629e2/68807158891.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006388.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6388 5568 bytes
SHA-256: 59062a754d0d1ddf0c8a662e903a50081e10ec4cddf3e0cde1d117112ae6a427
font_01_sfnt_off00007673.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7673 1892 bytes
SHA-256: c4ebf9374f183e0d06abff076368f9778f5420368af1f3cb29c6cd45b472c97f
font_02_sfnt_off00007f93.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7F93 10576 bytes
SHA-256: adbed99ab687c3e2a3d7ba5c50b0ab49f694764f6ca4f1a869f985fecb2accb6