Malicious PDF — malware analysis report

Static analysis result for SHA-256 6af2e9c906bacddc…

MALICIOUS

PDF

44.8 KB Created: 2020-10-28 18:39:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: 8e09a2ee272ec57993529fd099e4264a SHA-1: 4ea617d6821d870cbf1589640c68456836600a57 SHA-256: 6af2e9c906bacddceed78558cd3358cb203a8af300a40cd42aeb517f98b5ad46
134 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=can%2527t+open+google+website In PDF document text
    • https://cdn-cms.f-static.net/uploads/4417226/normal_5f978c7126b8d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388613/normal_5f913a48110ec.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366366/normal_5f875ddc8ad1b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378149/normal_5f8bde6f76973.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383460/normal_5f93a94fc8d0d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367921/normal_5f98cfaaad683.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371020/normal_5f8e322683fab.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411918/normal_5f9597afc3742.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387816/normal_5f93961de8231.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369305/normal_5f89b1fd6407c.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off0000708f.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off0000708f.bin)
    • https://s3.amazonaws.com/memul/61527521414.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fb35ee1c-ec25-408f-a89f-ecfc4c55808a/34419577542.pdfIn PDF document text
    • https://s3.amazonaws.com/xanebavifamopez/morapadejazisibilutaj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b75abba4-a111-40f8-b6f0-42ac15252b24/95825412534.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b34c663-d30c-40a8-a4bd-a418a2dc6e67/kundalini_path_to_higher_consciousness.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/df42ea93-2030-4032-8613-5928f1e75f92/28329207060.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fbed2238-62ca-46be-8d41-8d0ab412665d/59873682199.pdfIn PDF document text
    • https://s3.amazonaws.com/vuliwisuwig/glock_26_suppressor_sights.pdfIn PDF document text
    • https://s3.amazonaws.com/felasorarabipis/new_amendment_in_motor_vehicle_act_2019.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d3353720-f24d-4564-b84b-5007eaa81881/92378276013.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad36c0e6-4429-4598-97d3-d2ccb21eac2f/48791607339.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf63b801-464e-4a3d-b201-26c25124ae88/55055478558.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a2d0bbf-9788-4df7-822d-83bc1706b59b/angel_shaggy_mp3_song_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/29923ecc-0931-4d12-bd0f-cf9d4f15a4fc/54146620769.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/05422016-6914-4e34-9b0a-b81e877c5834/81012562596.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9cc45c32-16ea-421f-99b7-f6060acbe01f/xedil.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e463f476-6dde-49f3-92cb-60c43f4bf6ae/13245968297.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off0000708f.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000708f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x708F 5060 bytes
SHA-256: ff865e57937245a63f46aa998be81ec66e622c67ab8b93cb1c0220d5b25a2c56
font_01_sfnt_off000081f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x81F1 10360 bytes
SHA-256: b58388a4f94dc75ebac26babc3092023046fc68e3e293bc421d15598ba5f41b2