Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e33c0ecc375cc8c…

MALICIOUS

PDF

66.8 KB Created: 2020-10-21 00:43:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: d57a432a70d1b97c8536969826898446 SHA-1: 3c8876be51bfbfd6cc1567265e8ead821855552c SHA-256: 5e33c0ecc375cc8c0408f7dd41a5aa0a9cc4ed29b61a84c15a548065dbf3ebd7
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/123?keyword=%25D8%25A7%25D9%2585%25D8%25AA%25D8%25AD%25D8%25A7%25D9%2586%25D8%25A7%25D8%25AA+icdl+%25D8%25A8%25D8%25A7%25D9%2584%25D8%25B9%25D8%25B1%25D8%25A8%25D9%258A+pdf+2020 In PDF document text
    • https://digonowokeke.weebly.com/uploads/1/3/1/8/131856318/zeduwaxis_galazomilukema.pdfIn PDF document text
    • https://gimejexoxixaza.weebly.com/uploads/1/3/1/8/131872185/jinitorip-bolag.pdfIn PDF document text
    • https://tenabawik.weebly.com/uploads/1/3/2/7/132710661/1716683.pdfIn PDF document text
    • https://sibakixode.weebly.com/uploads/1/3/2/8/132814768/zubezebarogala_masisemofo_kadag.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372696/normal_5f8a899a3fa90.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366316/normal_5f8b67fd21d21.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375196/normal_5f8f56f6a09c6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372987/normal_5f8dbceee1ecf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365563/normal_5f886521c1cad.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00007186.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00007186.bin)
    • https://uploads.strikinglycdn.com/files/5953328b-3e83-4ac7-916c-3bd063afda74/69897351553.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a0e6a8c-7577-46cd-a6fd-826b8b1a2878/suwewagopudofofenivas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b25b00a0-7d19-4ea8-ab4e-65109e81b7a6/19895430658.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0750ded-fbc5-4e6c-b7af-e3cc4936b79b/fodunutijuruv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f55b5493-3d8e-4d2d-8c6f-46d20c3d8fde/46779652288.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/76b27a75-4939-4d9c-aa4d-457f5755c004/lixevotewivik.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/456b4d6d-4c9e-43cb-be67-3a8e518ec267/38797163520.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b58616a7-34db-45f2-af0d-0177be06dbe2/7674803018.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a4d559da-ab10-4bf6-96c6-a267d2e75854/internet_download_manager_descargar_por_mega.pdfIn PDF document text
    • https://s3.amazonaws.com/wonoti/tajilebikexupibusas.pdfIn PDF document text
    • https://s3.amazonaws.com/henghuili-files/curso_automatismos_electricos.pdfIn PDF document text
    • https://s3.amazonaws.com/memul/razapunupezus.pdfIn PDF document text
    • https://s3.amazonaws.com/jamokaroxoj/66077155009.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5fac1ef1-bf05-4db6-a16a-995798087b1b/losanibatebuzamux.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/94758dd8-809d-4310-8ec0-4a369fcd4b93/18633798357.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/971e91e4-6d37-4fb5-94b9-ba6f40a2ac4b/70456621114.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/12d673e3-0492-4905-b962-be8eb1bee3ea/fafepenizixekinebajutejo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn extracted file (stream_007_off0000c215.bin)
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (stream_007_off0000c215.bin)
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00007186.bin)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0000c215.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC215 31300 bytes
SHA-256: fb61cad9a65aaa1cbcba361020742c4bacdc3406f67f6468c014c414eb05519e
font_00_sfnt_off00007186.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7186 4844 bytes
SHA-256: 1d1091acaff2900b71c5d6df0e6ad675f021ad4ae3178f07f9d42c547abc5cba
font_01_sfnt_off00008210.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8210 1648 bytes
SHA-256: 4a8ebde5e94bd7e49bcaf164f77963ab18066d5334cf8871f4ac3f3f313d9c8a
font_02_sfnt_off00008a54.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8A54 17308 bytes
SHA-256: 54262c2d8af7ae2de301a04f0c2c623687d96421c57f129877f1a6e52842e67b
font_03_sfnt_off0000a3b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA3B4 8844 bytes
SHA-256: c588bb1b33a57f3e49e1f9fae0ae1d4c13cc48ae915a2aa7272aeb0ee33dad1a