Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c73ab1a805517d2…

MALICIOUS

PDF

34.9 KB Created: 2020-10-05 09:25:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-19
MD5: 5446688bb9d7a401fd18f4e8c8107ce7 SHA-1: fde04e1e792608875c3bec6815a42db4819a0c4c SHA-256: 5c73ab1a805517d21dba1dda6d24796757462b08bd1812a4621665e0ccfd0ac5
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=motorcycle+manual+cam+chain+tensioner+adjustment In PDF document text
    • http://files.erikalancaster.com/uploads/1/3/0/7/130739251/1089901.pdfIn PDF document text
    • http://files.ilustrarmagazine.com/uploads/1/3/2/3/132303083/7367612.pdfIn PDF document text
    • http://files.smallbatchq.com/uploads/1/3/2/6/132683267/38bb7f1578740.pdfIn PDF document text
    • https://site-1036626.mozfiles.com/files/1036626/kajepokuraduparikigeg.pdfIn PDF document text
    • https://site-1041181.mozfiles.com/files/1041181/jokagoretiradiwenok.pdfIn PDF document text
    • https://site-1040341.mozfiles.com/files/1040341/lomenuxixidu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d6e964f0-7a30-4980-8cf3-67bb311c8c59/18323101883.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/27a36784-63e6-4311-acb6-cfba37563b89/teworerakumidovojowesalu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b824f448-e280-47b4-a663-d60fe9aba4f6/tazuxixesuguzozuzod.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/54eef5e5-94a9-4432-ab3f-c398387f48ad/jigujo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/524af4dc-01af-43cd-89af-0c39fcef031a/10366678829.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45691909-2635-4789-9a5b-b899487259c4/58388098033.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/71f535c6-163a-43d8-b454-323fcafdf45d/25805905941.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e7b46c45-d062-4538-b0df-2bea72eedc3e/12084140056.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b13.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4B13 5364 bytes
SHA-256: 59587396ca0603e873fda4c011d4c06a8eaa242901f7507eae77e962b8b3723e
font_01_sfnt_off00005d31.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5D31 9808 bytes
SHA-256: f1e4b5ea849d0392e190773fd9d67755522ab2eb6f8d430b31260b2adac131d4