Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b093acb4a0ec7e6…

MALICIOUS

PDF

41.8 KB Created: 2020-09-29 18:12:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: c4fa3a02478a4a40deb5d1f57e1bcb6b SHA-1: b3b1fe9319fae57b939e5ca2a0049a662140dcef SHA-256: 9b093acb4a0ec7e6952f91ed7a565b71ec84564e90b1d243f3390d28cd4c8739
184 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=apk+farm+heroes In PDF document text
    • http://wigumipev.drrjbattechiropractic.com/uploads/1/3/2/6/132695615/1421714.pdfIn PDF document text
    • http://files.heatherbrittonphotography.com/uploads/1/3/2/8/132815367/fofirobijuxar.pdfIn PDF document text
    • http://files.rucomingout.com/uploads/1/3/1/6/131606798/ritopavesexi.pdfIn PDF document text
    • http://files.spotteddairyair.net/uploads/1/3/1/0/131071258/8f1fe775233.pdfIn PDF document text
    • http://files.mectacprinstructor.com/uploads/1/3/1/4/131437740/2f469132278.pdfIn PDF document text
    • http://files.wlu-science-chem-halabadleh.ca/uploads/1/3/0/7/130776088/6c60c1feaa.pdfIn PDF document text
    • http://gupojidig.outsidethebox.nz/uploads/1/3/0/7/130740190/ledokunisawu.pdfIn PDF document text
    • http://buwaxun.liquidnitrogenphoto.com/uploads/1/3/2/7/132712336/3e6f135d76c7cd.pdfIn PDF document text
    • http://pifefadu.wanderwithwool.com/uploads/1/3/0/7/130776106/8938605.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/4243296e-2c99-4bfc-b5d8-3a7d3b049e9f/23217982519.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ed307e1d-11c9-4b66-9cd2-2f49935a37cd/19328023851.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/04b32aa4-81c1-4392-9404-27e8ba272cf6/wevuf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/20736687-3724-4f62-acd8-9d5702331e61/fegoxibedenulabax.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/49fd8971-9b07-4b68-ba5f-6d4111c38b7e/99196120299.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/11389ef6-48f5-486e-b021-d68dc6f9d4a2/13475937024.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab2b389b-baba-4589-a23f-269683c56cfa/31862788802.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/81862167-b094-413f-a0ab-d5720906df8d/89287127911.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005890.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5890 4716 bytes
SHA-256: 0ca6aa06de8fe83de21d530e802e32d7100ef2a4ca351dff0eba6a1048b59446
font_01_sfnt_off00006888.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6888 10400 bytes
SHA-256: fe4170c038b58cae84c6bd7f079201ee98dc2a46de1a41f7355f2190e883acf0
font_02_sfnt_off00008c2c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8C2C 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361

Open this report in the interactive analyzer, or submit your own file for analysis.