Malicious PDF — malware analysis report

Static analysis result for SHA-256 918854916c4c9813…

MALICIOUS

PDF

38.6 KB Created: 2020-10-04 23:57:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: 165efb4ae62f45238b7f03d9b740ef85 SHA-1: 7439ef02745102d5d2602dec47dc77047a301d90 SHA-256: 918854916c4c9813d0e49b13c7aa0c8193f1de3a9bf4840a319ed4f6b1feefa3
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=flashcard+animal+4d+download In PDF document text
    • http://vofazos.ettore-bechis.com/uploads/1/3/0/7/130739416/demeziluxuviroj.pdfIn PDF document text
    • http://jetub.thekeybykate.com/uploads/1/3/0/8/130874359/1954076.pdfIn PDF document text
    • http://vinubim.mlmcpherson.com/uploads/1/3/0/8/130873951/somajuzol_poteta.pdfIn PDF document text
    • http://files.chaitanyayoga.co.za/uploads/1/3/0/8/130874125/7042192.pdfIn PDF document text
    • https://site-1038592.mozfiles.com/files/1038592/sukufipebazofivajonasukav.pdfIn PDF document text
    • https://site-1039423.mozfiles.com/files/1039423/bedivusomigajewekenez.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/4179187b-dd3d-41d9-b609-cf594d3e356a/19776661915.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/670f2af9-3bc6-4a83-98a6-6272e145e6f3/89716608132.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f7048934-ad29-47ac-8789-ef596eb0108a/92720476301.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2108f10c-7155-469e-9b17-8a94ec348031/77883094342.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/57857ef2-ca8e-491c-951c-46bbc2546424/bezafemoxi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9e8d0bfe-9f1a-4126-a7a6-0edbddffc730/29182246411.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a4f3cbca-e971-4659-ba86-83e00f03d635/fizap.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a44d8347-17de-427d-bf37-d55fed5f1042/89973197108.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9c0262ed-dd5e-4b55-a82f-2cb317a14afc/vanogidamudij.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059a8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x59A8 5316 bytes
SHA-256: c5653d4b13a41cec104cfaa48ff41ce72342b0ed12f372a8cd09fb3f5a01b6f8
font_01_sfnt_off00006ba2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6BA2 10040 bytes
SHA-256: 375c6345859b89d2c1ef93b584dbf36ce0f7f292b0d30cb0fdb3bb30cc2434e5

Open this report in the interactive analyzer, or submit your own file for analysis.