Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f88673256bcad48…

MALICIOUS

PDF

58.1 KB Created: 2020-10-26 03:19:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: b778a6d8cd4fe1972063df8ec13dc87a SHA-1: ca71bd5e7242c387c9bafecb95d064720c738817 SHA-256: 5f88673256bcad48f9de680f6c82a175ec71b06cadf428e0f116f1c74aae3178
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=data+mining+tutorial+pdf+download In PDF document text
    • https://cdn-cms.f-static.net/uploads/4365656/normal_5f8c1a1742533.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366984/normal_5f87423b2c587.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4405179/normal_5f924af1a9b6a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380382/normal_5f8d2b2a84cbf.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00008667.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00008667.bin)
    • https://uploads.strikinglycdn.com/files/8caa24a3-c806-4cf8-926e-b11c19f7acd3/97865259043.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a13a4c17-1df2-4217-ac75-fe383f1f9dce/fariyad_kya_kare_hum_mp3_song_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2f23d5b7-dc88-4d55-af9e-e134e8d11c0f/zasidofowakerafumanumawir.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6ce94f11-0438-4378-bdda-aaa76e6ae32d/fulegawugevuvozofa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f405017d-8ae8-4241-b564-669abe6ed974/wazimiz.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0500/1406/0693/files/blueprint_book_nicholas_christakis.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0480/7481/7693/files/jiluwilarikawijad.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/9553/1424/files/17701512409.pdfIn PDF document text
    • https://s3.amazonaws.com/fapaga/28907979136.pdfIn PDF document text
    • https://s3.amazonaws.com/tabobujimo/71757852491.pdfIn PDF document text
    • https://s3.amazonaws.com/juduk/gopipifam.pdfIn PDF document text
    • https://s3.amazonaws.com/vokeri/98427698771.pdfIn PDF document text
    • https://s3.amazonaws.com/tetazino/pikivozoviwim.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/779bbdb1-4cb6-43db-98a0-c06e3e8e249a/disbelief_papyrus_theme.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7100946e-8304-421f-8f42-bdda40c9c3f6/mefuxuv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/39e8a08b-6df1-4a6f-9ba1-606ce0a86378/22602425135.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f32e7e92-be1d-43c2-b469-6d8456d626be/pazose.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0496/7641/9236/files/28523812474.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/7292/5095/files/nivojesijurijunuwudep.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00008667.bin)
    • http://dejavu.sourceforge.netIn extracted file (font_02_sfnt_off0000c544.bin)
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (font_02_sfnt_off0000c544.bin)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008667.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8667 5272 bytes
SHA-256: 56e4366bcc4faee59e08c48fe56b1c10e52b65f8e0cb055a9dac8f2c441c2256
font_01_sfnt_off00009855.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9855 13960 bytes
SHA-256: 852ca0ffaf3f5f8986c067a51493f6e51233b4203ec172874d419064f50ffd3e
font_02_sfnt_off0000c544.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC544 16136 bytes
SHA-256: 043be0776a30beff310ba57abfbd428576305065390232ed26ad0cfb0a25ec8b