Malicious PDF — malware analysis report

Static analysis result for SHA-256 55fea0a229f52778…

MALICIOUS

PDF

44.2 KB Created: 2020-10-18 11:22:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: 82e53f8f60a7b5814a378737152f0401 SHA-1: 36a0d86e1bda76c9218724edbb7ad3a5ec80c868 SHA-256: 55fea0a229f52778dd4f28545964d863e39b321180923702a013f73c1e641724
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=wiring+ethernet+jack In PDF document text
    • https://cdn-cms.f-static.net/uploads/4365628/normal_5f875aac8ada2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374957/normal_5f89379adb0f8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371025/normal_5f8be03435238.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366324/normal_5f870e97d1cbc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366374/normal_5f875e72ce3c5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366388/normal_5f873e52b33c0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372361/normal_5f8a8ca91e0ea.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366645/normal_5f8841a681f69.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376380/normal_5f8b233813e52.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366304/normal_5f8a19d25a7d2.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/e35829e6-ccdc-432f-9397-0a1768ca394b/32424154685.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fd4e9c10-2c37-4d00-8789-cae335dcec23/70530312515.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/4257/7813/files/20479519502.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/7471/4784/files/fishbowl_discussion_handout.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/9480/2589/files/xofurulone.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/3835/0753/files/70136551979.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0459/0433/0906/files/32958749899.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92e2292c-f16b-49b0-ae36-70a7f4f87731/xepaleka.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/472c1ad1-f78a-494b-97b0-6d4174704497/43707664186.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9f9f1174-f9a1-4ffa-ae14-6421ef97d046/kesurukelidufi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dad949cd-cab5-449c-828f-2a22cbe50fa1/pakapo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000700b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x700B 5004 bytes
SHA-256: 3bafcdf84d61790142914418bf40e34369b56bd8af72a0d084a0f1e56a433978
font_01_sfnt_off00008118.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8118 10080 bytes
SHA-256: 2523f0dfd0c64c407d4b3ab492a79e44ba934754db0ff43e601a0c8e4fa8d623