Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e253dffaf90fbac…

MALICIOUS

PDF

73.7 KB Created: 2021-01-03 09:09:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10
MD5: d5e03563abe6ed49656cc5b078e17e28 SHA-1: b6bda44b2df80810946b3dabeafba68ff36cef5d SHA-256: 6e253dffaf90fbacbdd99c5e2e3f41e0670f670da6aeadeaa40f71f5a199882f
254 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/wb?keyword=zombie%20derby%201%20hacked In PDF document text
    • https://cdn-cms.f-static.net/uploads/4424024/normal_5fdb99d0b5bf7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411923/normal_5fb5b9068e67f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481271/normal_5fe0e33e985f1.pdfIn PDF document text
    • https://venakadu.weebly.com/uploads/1/3/4/7/134729608/5078609.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370051/normal_5fb0358912c80.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/53747948-d1b6-46b9-89b6-e7c85bc8e06c/carbonated_soft_drinks_uk_market_share.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1972dfce-0732-428e-a039-f1f50c639bcc/kamp_rite_double_tent_cot_uk.pdfIn PDF document text
    • https://s3.amazonaws.com/felasorarabipis/80308898373.pdfIn PDF document text
    • https://s3.amazonaws.com/lezopobigeza/najipusinagij.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ce5473c1-94bf-4893-9045-ed96a97046dc/310mm_to_inches.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de0c36d8-2bd6-4feb-ab4b-73720f6f4bfb/brica_seat_guardian_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bac4dde8-7bc2-4aa1-a424-58b3a7ef18ed/rust_mother_s_day.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7d9b9aab-5c7d-49d1-931c-1ad28f587cab/condensed_electron_configuration_for_br.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0a040298-f248-49d9-a1ff-8cb53a28dbb0/computers_and_intractability_a_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0a5fa08-3205-4cfe-aa61-f0a21bda83fe/gentleman_mp3_songs_free_download_at.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da07.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA07 5284 bytes
SHA-256: 655d213e648822d0079002e33cea48c0c5881a95871b9725fd1f38568b310797
font_01_sfnt_off0000ebe4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBE4 14700 bytes
SHA-256: 53c1c4886bbdf3690fceddb134409294bbe2e59a3a9a50b66bd754890abac50f

Open this report in the interactive analyzer, or submit your own file for analysis.