Malicious PDF — malware analysis report

Static analysis result for SHA-256 a11fc05c925b6d10…

MALICIOUS

PDF

48.3 KB Created: 2020-10-29 05:17:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: ddd817670b12021cfae7b52cc0bb0245 SHA-1: 9e611cc6403ae1c58f5c0afb6aea3e4ee0ca11a2 SHA-256: a11fc05c925b6d10be0bde13998f5ba8bfdd66c2b62994684f2c7e9f0faf1ac1
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/123?keyword=irish+trash+can+drink+mixer In PDF document text
    • https://noloturajikule.weebly.com/uploads/1/3/4/4/134486045/dovakit.pdfIn PDF document text
    • https://wosezobar.weebly.com/uploads/1/3/1/8/131856012/6711581.pdfIn PDF document text
    • https://moleresudiba.weebly.com/uploads/1/3/4/4/134447347/jovani.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00007c44.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00007c44.bin)
    • https://uploads.strikinglycdn.com/files/1cfbb331-1353-416b-a1a5-8b57503d0fa2/7827605001.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5a85762f-91a7-4b3e-ace8-57a85c675f11/fuzufuw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/28a7fba0-8411-45ad-9f3f-4afbda259715/48915784631.pdfIn PDF document text
    • https://s3.amazonaws.com/vunizi/6881423895.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/48e30766-34ea-41cf-879b-0595207d1da2/xakojuniramevepetab.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/df53fce8-14a4-44f6-b203-fa26ab73bb87/hotspot_shield_7.15.1_crack_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/00947690-f4a2-4b57-8c7e-18cfccfcd815/50607817964.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/df7df8d9-2f82-4a78-bb31-c29184e161c9/57094268656.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e72c219-ffe6-46b5-8690-dcaa32f19a37/jetas.pdfIn PDF document text
    • https://s3.amazonaws.com/wonoti/25738617898.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0d75d61a-4cd7-42df-b0c2-ac4b2c97fb43/timepatajikogubuk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da59038a-3561-499f-9d1a-170b3a472c84/wosoro.pdfIn PDF document text
    • https://s3.amazonaws.com/henghuili-files/37267066424.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/97d2cf94-f2c7-4e5b-91f5-24f551402d8e/53188115747.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/62474c25-759b-4b9b-bd6e-ef2a2a48aecd/sodabufosedamemi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/87466e99-64a0-41bb-91c3-cfe256da9c9f/formulacin_y_evaluacin_de_proyectos_informticos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2b758186-9b45-41b4-9a44-3fe9c581a7ac/fexewemora.pdfIn PDF document text
    • https://s3.amazonaws.com/fasanag/80238325850.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/683b165a-5640-40d0-bcdf-283536ad9c5e/lg_portable_air_conditioner_at_walmart.pdfIn PDF document text
    • https://s3.amazonaws.com/mejifavo/chapter_10_accounting_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c0e3e6af-3fd0-415e-9aa2-4449fbe5f350/modern_combat_5_obb_file_download_apkpure.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d812ef26-72af-4e1a-9aab-28cd79950a64/fofopinolobajelozegure.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00007c44.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c44.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7C44 5216 bytes
SHA-256: 53953f72660e9333b3d9e4db25154873ed37118b1369f6ce8bbc1aff33e15f96
font_01_sfnt_off00008dd4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8DD4 11044 bytes
SHA-256: 9e5a45d5dc18be0d141278bade763dcd943c95697f67bdb6b8e6923f93f4de01