Malicious PDF — malware analysis report

Static analysis result for SHA-256 4da3d267f8a35e8c…

MALICIOUS

PDF

68.9 KB Created: 2021-03-05 13:48:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10
MD5: 66b0ed236ad8fb223377257baed6a56c SHA-1: c113b0caaa16b885b372757713b5978be9777a99 SHA-256: 4da3d267f8a35e8cd7be47d8917ec1b26f15ed03b8d5ce8196c1b92ca979082a
254 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/wix?keyword=apple+macbook+pro+a1278+charger In PDF document text
    • http://copyrighthelpbusiness.net/76567616071h5t4p.pdfIn PDF document text
    • http://belplitka.ru/kof_98_um_ol_charactersxautc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446168/normal_600eed90dfe0c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373753/normal_6033cd750c2a6.pdfIn PDF document text
    • http://robolab.one/dissolution_of_partnership_letter_templateluz3w.pdfIn PDF document text
    • http://sks-expertiza.ru/el_simbolo_perdido_opinionesffr5x.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://feniboladesa.rf.gd/jilikosukege.pdfIn PDF document text
    • https://599b09cd-7b6a-4758-94a3-08a08d316165.filesusr.com/ugd/628a76_a5497d0e1e8642768890c68dfa23516d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/fekife/20788014137.pdfIn PDF document text
    • http://pojovalomoj.epizy.com/healthcare_data_analyst_jobs_indianapolis.pdfIn PDF document text
    • https://s3.amazonaws.com/zafijukopa/hootsuite_report_2018.pdfIn PDF document text
    • https://6739ca04-605d-4ff4-b4c9-4e5bd75a7819.filesusr.com/ugd/031dda_e3f18f1c6235427d9ae8da0d735a167a.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tikoweravisixu/sungrow_20kw_inverter_data_sheet.pdfIn PDF document text
    • https://e97408dc-4b05-4e3b-9f19-f4127feb49ef.filesusr.com/ugd/a42eed_0236c15a6c4e41d682f721e29893c887.pdf?index=trueIn PDF document text
    • http://fosekor.epizy.com/adobe_premiere_pro_cc_2017_free.pdfIn PDF document text
    • http://gubadix.epizy.com/crooked_kingdom_page_count.pdfIn PDF document text
    • https://s3.amazonaws.com/saziwijaxodav/bharathiyar_song_in_tamil.pdfIn PDF document text
    • https://16012499-1299-48b0-8cdd-5f23a7749958.filesusr.com/ugd/fafc38_0ae9db24b5c841be9ed91c213166cc9f.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/godewumazek/17054085286.pdfIn PDF document text
    • https://s3.amazonaws.com/wujodibu/new_video_call_app.pdfIn PDF document text
    • https://ac614e2c-2e00-43e4-a80f-2c6bce9fb64b.filesusr.com/ugd/f103bb_fcd9dcc0339d40bc98f713bea9e742ed.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d0b5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD0B5 5820 bytes
SHA-256: f72308622f093479722997c9605c965f449a2cf263c21dd90fd301f0e2f5ecc0
font_01_sfnt_off0000e461.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE461 9936 bytes
SHA-256: 7080ac14a756c806ab957f81829c7417894bb7cfc19a7b3dfe20aeaa9e35291e

Open this report in the interactive analyzer, or submit your own file for analysis.