Malicious PDF — malware analysis report

Static analysis result for SHA-256 76924f9149e54595…

MALICIOUS

PDF

50.5 KB Created: 2020-10-30 12:16:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-02-23
MD5: bde224ce0ecedb2f248b6f759d8bcd14 SHA-1: 9d8430eacc4f3ab6facacd897f9665db7a9990b1 SHA-256: 76924f9149e54595627f6c104d659006fdc30d74111e3f807a55a1a399bdbbbc
214 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/123?keyword=dropbox+file+request+size+limit In PDF document text
    • https://cdn-cms.f-static.net/uploads/4365549/normal_5f870a2444e1e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408195/normal_5f9bacffcfa3b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366389/normal_5f8b4f0482a78.pdfIn PDF document text
    • https://denasigetul.weebly.com/uploads/1/3/4/3/134332190/mudufa_makokowos_zefuzatarele_roxekuk.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371524/normal_5f9811bc287da.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365541/normal_5f86f8a126750.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376127/normal_5f94a9d045dfc.pdfIn PDF document text
    • https://fukikabigo.weebly.com/uploads/1/3/4/4/134457586/fixawenirutuna.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378857/normal_5f8ab18cde4ab.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365563/normal_5f8710441bb51.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a4a16cc9-33d4-45f2-9ef9-e04c555b078e/nabivubenapiwu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1ebb0ca9-a051-4694-a971-c30c450938c4/8020138575.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/038c01b4-d2d1-4465-b3ac-686ed6dfb4f6/36383995432.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/37603d0f-490c-48a7-907b-4f601f85fef6/zigewasititufixuxi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b9173d2d-97d3-48ee-b187-065deaa84caf/79823541813.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/20b6a482-e0cc-4529-97d4-364e5bbcb8c5/lopiperexo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6BFF 6744 bytes
SHA-256: 127b44c9f93874c96d25eb7ddc4688780d8877ce931cf296363fb5748d8d514b
font_01_sfnt_off00007ce6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7CE6 5220 bytes
SHA-256: 7d304d8b9aee29039f2772e6dbfaf3f7bdfed1cf5b6074f8a9284c2bb53809ac
font_02_sfnt_off00008e9e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8E9E 1700 bytes
SHA-256: a2a592d7f3c19d5c7a9cd22bee3c2949d58e30f85cf180640836e2db01ff1c49
font_03_sfnt_off0000971f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x971F 10652 bytes
SHA-256: 6d2ef66f445b7f2c65c1abfb102d84d94c570f546a6cbf2fcf879172918c6228