Malicious PDF — malware analysis report

Static analysis result for SHA-256 67b45529d1e39dd2…

MALICIOUS

PDF

43.5 KB Created: 2020-10-11 16:52:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: 447110cfccae126223c8a0f9be4cdc1e SHA-1: dfc4130c71989c9f8f93d964979dc9b00a38d1a8 SHA-256: 67b45529d1e39dd27ce0d9ddf908cb3cd3c10db0417a15670eb0429982dd00c8
184 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/pify?keyword=red+plum+tree+fruit In PDF document text
    • http://dofajut.mattmonfettlaxcamp.com/uploads/1/3/2/6/132696067/2390608.pdfIn PDF document text
    • http://files.dbassettroofing.com/uploads/1/3/1/4/131454221/6774191.pdfIn PDF document text
    • http://basewak.nickpateras.org/uploads/1/3/2/6/132695278/gujatiduse_lebuwosafila_jufaderijapav_sabajugeki.pdfIn PDF document text
    • http://files.bennettmachineindustrial.com/uploads/1/3/0/7/130739250/revitojumo_zubawurem_xofidokemumos_xuzaselat.pdfIn PDF document text
    • http://tetonobi.historicalsocietymaleny.com/uploads/1/3/2/8/132814500/abf8ec5987505ac.pdfIn PDF document text
    • https://site-1037143.mozfiles.com/files/1037143/78630392906.pdfIn PDF document text
    • https://site-1043256.mozfiles.com/files/1043256/74196465663.pdfIn PDF document text
    • https://site-1040575.mozfiles.com/files/1040575/98806617254.pdfIn PDF document text
    • https://site-1036975.mozfiles.com/files/1036975/30706339329.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/4756/2645/files/dd_5e_players_handbook_download.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/7201/1931/files/the_little_old_lady_who_broke_all_the_rules.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a7c66408-9080-4437-8b03-487dd8e28c0e/24244335240.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ff966529-4e17-4419-b1d6-a5f181b3ead5/zasemodul.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/65745e7a-50d2-41d9-9c01-30de8989e780/rukagirewasomexiduvugozal.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f47b4ae7-340c-4347-b23a-44c16e1b7124/popatudajelidawad.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/19f6ce99-2b05-4fe7-a5a6-0be4abad0cf5/zelisuzijasitewe.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006dcd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6DCD 4808 bytes
SHA-256: 7aa9bfa0645adb8905ce93cd850a81f5873d30bbc0212c44f1cf9aaaad45feeb
font_01_sfnt_off00007e18.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7E18 10300 bytes
SHA-256: 212de6ea615264c150ec3264fb302d4f5a48b316604375391fe7b0617319c7ca

Open this report in the interactive analyzer, or submit your own file for analysis.