Malicious PDF — malware analysis report

Static analysis result for SHA-256 6622e9dcc24d89eb…

MALICIOUS

PDF

66.6 KB Created: 2020-10-26 11:04:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-02-23
MD5: 65d9a7533f45e9fc729807ac62e167c3 SHA-1: 4032aae837ab81c373d661ea241a77358f2edb00 SHA-256: 6622e9dcc24d89eb692e74339ceafc735df193e4624161486ca4f819817a885b
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=johnny+taylor+i+found+love In PDF document text
    • https://vuxozajuje.weebly.com/uploads/1/3/1/3/131379873/rotesojelunemiroto.pdfIn PDF document text
    • https://ronumotesagazuw.weebly.com/uploads/1/3/4/3/134373959/dekibo.pdfIn PDF document text
    • https://pefopurez.weebly.com/uploads/1/3/4/3/134375846/33631e6e188.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/lopadivupudexa/as_time_goes_by_piano_solo.pdfIn PDF document text
    • https://s3.amazonaws.com/dujepav/cancionero_catolico_con_notas.pdfIn PDF document text
    • https://s3.amazonaws.com/wotodedaruzuk/lavadora_ariston_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/xisefowu/shani_ashtottara_shatanamavali_in_telugu_free_download.pdfIn PDF document text
    • https://s3.amazonaws.com/mokuwanibof/rogege.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d702a53b-c6ec-45bb-bf0a-611c4d97b877/dadopisogewitamuxogi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7504351c-c155-4693-8523-e4f7d5a46bf1/16629916543.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7b5f0b14-9c62-4ded-8307-beb8be688c34/44884988057.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/46935286-3a00-46d4-b32d-48268d1a0a26/teditedita.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cdd97aa2-e377-4b41-929d-23fec3323b34/information_classification_policy_is.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f725c072-d483-43a6-931f-9a8ec1512a18/jodiranomegole.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9fbf85e4-90a2-4a50-a4b6-e8de5dfbd61b/54414145088.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/320be67d-ad6b-4f84-bbd8-70d32673b86e/7655335732.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d34f09d-3389-4bdb-9b07-b7a52369b648/thor_ragnarok_release.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/2103/6452/files/secondary_school_leaving_certificate_kenya.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/4353/6541/files/zelik.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000d330.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD330 24096 bytes
SHA-256: 123c33e5aa4457677f56b9d17b0a50f4e6596e2a36b4fb6acb85b41fd86d3ce5
font_00_sfnt_off00009bbb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9BBB 4968 bytes
SHA-256: 535362acc03dacb19f365ebb0b172b8890d12b8fecb853a3ff1d6d9475826649
font_01_sfnt_off0000aca1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xACA1 11256 bytes
SHA-256: 6677155694aa1ccee30fa27bffc2ae1f9241cca208d5530ae9e77f50df16814a