Malicious PDF — malware analysis report

Static analysis result for SHA-256 75ce9f12c118596f…

MALICIOUS

PDF

50.0 KB Created: 2020-10-21 03:44:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-01-02
MD5: aef4429eb38857063829ad1f9e753276 SHA-1: cb41103ab77cddb44857c33a3f3224edbf9c0cb0 SHA-256: 75ce9f12c118596f9bc6a6f837a1a9391a337a7ffa3b840a3cc4510f8ce93d54
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=imagenes+de+sumas+para+preescolar In PDF document text
    • https://tibiwurab.weebly.com/uploads/1/3/2/6/132695994/radorudezipaxorobewe.pdfIn PDF document text
    • https://zoveponezewuda.weebly.com/uploads/1/3/0/7/130738822/7093334.pdfIn PDF document text
    • https://zisokilusativ.weebly.com/uploads/1/3/2/3/132303079/gugojipelonesek-zutamimamimone-jivigopol-gatufob.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00005ee9.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00005ee9.bin)
    • http://www.daltonmaag.com/In extracted file (font_03_sfnt_off0000a9ce.bin)
    • https://s3.amazonaws.com/kavitokolezub/bepolatuzoxeki.pdfIn PDF document text
    • https://s3.amazonaws.com/henghuili-files/describing_physical_appearance_esl.pdfIn PDF document text
    • https://s3.amazonaws.com/felasorarabipis/94701795661.pdfIn PDF document text
    • https://s3.amazonaws.com/zirojopemup/85967725058.pdfIn PDF document text
    • https://s3.amazonaws.com/tadovu/zibefixuku.pdfIn PDF document text
    • https://s3.amazonaws.com/henghuili-files2/fekajozokebuzedegusup.pdfIn PDF document text
    • https://s3.amazonaws.com/wilugugo/jenatuzonizatazavadefaw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1ec05565-f89d-4400-a5d7-3c470f5b1d20/zutapavavajanud.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1004e0e6-c96c-41dc-a1fb-0b1b1d7e1d83/36481920869.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/117ebc17-3648-4c5b-aca2-53a9bd122b79/5124714246.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ac4f3f2-3afd-4ba7-bec1-8d0b3cc20c92/zemitusidipabu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/253a0873-c085-472d-9bc4-d71baa6bc5b8/66646839718.pdfIn PDF document text
    • https://s3.amazonaws.com/subud/wisemonatilopupasa.pdfIn PDF document text
    • https://s3.amazonaws.com/henghuili-files/erico_cadweld_molds.pdfIn PDF document text
    • https://s3.amazonaws.com/zuxadol/synonyms_and_antonyms_worksheets.pdfIn PDF document text
    • https://s3.amazonaws.com/tetazino/cisco_lab_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5c6cbec4-63da-46b5-9316-f61d4abd81d2/25741969518.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5558ac7e-1333-4002-8d60-6646fc6f5e5d/fametajadaxizinititukezu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/700b5be6-8259-4a7d-9bac-a81b0bd4e3ec/lusetumitod.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3ed17d8f-cc6d-471d-aa35-1d3b3df457b0/voziluwivejusefofedubuv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e23ded74-d37b-4004-8ace-19f1bda5cc6a/26306899590.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00005ee9.bin)
    • http://dejavu.sourceforge.netIn extracted file (font_02_sfnt_off000094af.bin)
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (font_02_sfnt_off000094af.bin)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ee9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5EE9 5084 bytes
SHA-256: 308c726fc0c03680535f8b399de88250ea0ea8bc43714e12643b9e475e599357
font_01_sfnt_off00006fff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6FFF 11260 bytes
SHA-256: d2aaa5f274944c797f0a205a0b98cbc3a8967fa1c1cec9080f1cc1b561d34ed3
font_02_sfnt_off000094af.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x94AF 16164 bytes
SHA-256: 7f64a184185b19c4509fb58d2bd1b04ad0bf592a661abde0780cedf99fd3e42e
font_03_sfnt_off0000a9ce.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA9CE 4324 bytes
SHA-256: ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230