Malicious PDF — malware analysis report

Static analysis result for SHA-256 8b580faa02ecf3d7…

MALICIOUS

PDF

73.0 KB Created: 2020-11-02 01:03:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-01-23
MD5: e89a96a1b119b3c2738b3b64ed179856 SHA-1: 8154b0c4b037a4a853959b677c2b8f8a7a7f7cc0 SHA-256: 8b580faa02ecf3d7da914584be4bb5c27c5d1c0faa241e73b79fc8f0af38f067
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=sam+summers+racing In PDF document text
    • https://cdn-cms.f-static.net/uploads/4372101/normal_5f8c51a3184a6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0499/1254/5469/files/86135917146.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/069c2082-8b6c-4fa7-b97b-b6faa863d98e/14811535461.pdfIn PDF document text
    • https://s3.amazonaws.com/sedimeraxufi/fnaf_sister_location_full_apk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b85d6516-401b-4155-844c-d6a1ef10038b/22196360912.pdfIn PDF document text
    • https://s3.amazonaws.com/henghuili-files/29818706043.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f291635d-a5fe-4ef7-891b-dce400dc87b9/hacker_techniques_tools_and_incident_handling_2nd_edition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e4115c34-03ba-45ce-9248-41248c1d3c30/dapexafefixexota.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/71e6851a-885a-4638-8ca5-f041e306a7e4/juwubivugusuxililibu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de6f2638-41f9-4de9-afdb-af3426a0606f/merriam_webster_pronunciation_guide.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/8432/3741/files/zumujipowirorabo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9a21e9bb-3b55-4316-a844-48f4975ef34f/81224219118.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/950349ba-710d-4ed3-8d20-7cc48423cccb/nissan_pin_code_calculator_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a76d004d-af9a-4f75-886c-ffda8bf4ea92/14828767878.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ac633aa-0c68-42ad-acf6-25cf8ef528ab/vigasojorupejo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d618.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD618 5192 bytes
SHA-256: b24592fca761777c4852e0ee4c36b9f293785b56c9a7b7ca86720f2f629258e5
font_01_sfnt_off0000e7a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE7A4 16488 bytes
SHA-256: bbe9a19df743fc054adb9bc2be74fa4725d698fcc161fc0f32941ae81ea6e189

Open this report in the interactive analyzer, or submit your own file for analysis.