Malicious PDF — malware analysis report

Static analysis result for SHA-256 712b1e5fd66b2b90…

MALICIOUS

PDF

49.2 KB Created: 2020-10-30 16:24:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-04
MD5: 96931c47a12149fa3b2af83029bf8c55 SHA-1: e8e5e86b4dc30791616e6a72647289e2e509be15 SHA-256: 712b1e5fd66b2b90b6a47817482b19c0424e2312d07855bb8d1d686baa3f94a4
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=calcium+oxide+ph In PDF document text
    • https://wajiresejepo.weebly.com/uploads/1/3/0/7/130774962/bobeduj.pdfIn PDF document text
    • https://fidevawane.weebly.com/uploads/1/3/0/8/130814252/metugobiresa-dojexodibix.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/susopuzupure/tojusasepenemufabeja.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0d9b2ac5-e940-4961-86ab-4d913e85dd9d/bekuzikomevixevu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/599ed15b-586a-44b0-87a7-5978636d437e/fujogulaxolejamebagiko.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/854d186a-b46e-4c4b-bcbc-cecc15fea30e/90844811545.pdfIn PDF document text
    • https://s3.amazonaws.com/satedafadusizo/61710745290.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/35c084dd-3fd2-4643-b31d-bf1629678311/electric_gate_guide_rollers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/064fd4e7-da23-4be2-9d45-9947ae9026c5/private_pilot_biennial_flight_review_study_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e3b5c4c8-880e-4ee3-a4ba-5bb19f4ba175/ge_cafe_convection_microwave_oven_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e80002b5-7685-40f1-b5fa-0ea7f6a7efeb/52869277509.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/55a90ff3-941a-4424-b4a3-f95ebc86ff64/batman_arkham_city_xbox_360_dlc_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c24047e5-9b6d-4ee6-8180-e1bf7e90f8c5/89175238790.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f39f35d9-8298-44e2-bdba-aa7fbe93a413/vuzamoromaboba.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007151.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7151 6492 bytes
SHA-256: d2077f5d6d5b1d677d9b6d000eb087611a047961d42ceeb980acba3b54af8b85
font_01_sfnt_off00008186.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8186 5012 bytes
SHA-256: 8d19c42eea9f840f51f3a12dda85c3a7b1d1430d40564cb27c669c487bae21e1
font_02_sfnt_off0000926d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x926D 11044 bytes
SHA-256: e306b2e192b20f3d1e7290c8e51da51caf5b304aeed36535d41c56e1482c7bfa