Malicious PDF — malware analysis report

Static analysis result for SHA-256 91d8021838040fe6…

MALICIOUS

PDF

45.1 KB Created: 2020-10-26 11:42:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: 819a1f4dcf8c0da5c86706c8b175e381 SHA-1: d694d0603a0666ca7ff63c0b460b83829551f88b SHA-256: 91d8021838040fe6a313921e1028668afa7b54909fc3cd3bea4e68224995e425
184 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=upsc+cds+2+2019+notification+pdf In PDF document text
    • https://cdn-cms.f-static.net/uploads/4391893/normal_5f90c7297634d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374843/normal_5f9523579ed7e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374532/normal_5f8d94d97afd5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368471/normal_5f87d8452ca0f.pdfIn PDF document text
    • https://zalopajozi.weebly.com/uploads/1/3/1/4/131453352/6532961.pdfIn PDF document text
    • https://xirunokud.weebly.com/uploads/1/3/4/4/134467368/kiwilobarokimakog.pdfIn PDF document text
    • https://banafazag.weebly.com/uploads/1/3/4/3/134325205/6198275.pdfIn PDF document text
    • https://misutinulil.weebly.com/uploads/1/3/1/4/131407711/tupunavowaxosixu.pdfIn PDF document text
    • https://rofetavagamufup.weebly.com/uploads/1/3/4/3/134373504/xefadituz-xurizilu-fikadesewivo-pojak.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00007001.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00007001.bin)
    • https://uploads.strikinglycdn.com/files/901a8ce0-6ef4-4195-87ca-ae67eec37310/raluxov.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f739da8-594c-4a88-869b-86a94ffbd551/nujesobugi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bbaa2a9c-72e9-45ae-bfb9-d2f8826eb360/97530956261.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dcde12cd-a491-4657-9e85-1afc7961d662/buvenobofuf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1726ac83-8edf-4dba-9311-5dd35311d02c/wolfenstein_the_new_colossus_uncut_patch.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b920a153-6c65-444d-823b-96d9a0a6567e/ramomek.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3d8077d9-3d45-4ca3-987a-f626dbc45169/25180253651.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/617e1d07-5e2d-4db8-9eda-6cc6309104f3/10575146374.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5fb607e2-23e8-4063-901e-d365ad4aec15/gold_card_application_form.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a6d2b118-2215-49a0-b299-5a835a3ef64a/25105990800.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a70685c4-a0f7-49aa-aa75-3ce9e3a42e83/vuwawu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e54aceaa-3d56-4fdb-bede-de51a3fa3fc1/30016144282.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/7888/4759/files/step_pedometer_android_app.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/9661/9193/files/zutovebekuxojep.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/5587/6762/files/kebemuf.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0503/3879/1582/files/english_exercises_for_grade_4.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/9440/0423/files/parts_of_the_digestive_system_worksheet_answers.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00007001.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007001.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7001 5496 bytes
SHA-256: 4fd60f519cc92e309b4f1b6a152bf1e7e301be0f371520a5823b2c919f590dfc
font_01_sfnt_off000082c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x82C6 10752 bytes
SHA-256: 2ef2846519b7cfb6ead7613c5437e47fd72f01a4316645bfec5df4c8401b02ac