Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3195f8699faccb6…

MALICIOUS

PDF

74.3 KB Created: 2020-12-14 15:45:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-02-23
MD5: 731c14cc8e5d07c196dd412ec7c9fc61 SHA-1: 3c8056a44fcd3c13838c9df5060215d25bdc31f6 SHA-256: a3195f8699faccb6d468ab7a8224e0974861e061bc9864ab92238a5600042b10
254 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/wb?keyword=platform%20toolset%20v100%20windows%2010 In PDF document text
    • https://purusoze.weebly.com/uploads/1/3/4/4/134495244/jaruxemuruged.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd1e6ea28eb857557d53ca/1606229614695/nutapokexonoviza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0d5503a-968b-4dec-b07f-ddb4de74df2a/84012661600.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0eff460f2895dc1e80f14/t/5fcb0de21880ce05e8444537/1607142882304/76327014501.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc2e03b1c8c7413143ed9a1/t/5fc89810a9f67830caff1994/1606981648446/roman_empire_rise_of_rome_mod.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc573d3bf71053ccb2e5777/t/5fd155cbc10336458b27250a/1607554508122/68887754079.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0c991c6d9645836219624/t/5fce3585c00f007cea135b6c/1607349639087/switzerland_covid_19_cases_per_100k.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0f79e2e34347c7044618a/t/5fc245839ee0f32b879daa55/1606567299533/68972078648.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc12710abaecd331823d431/t/5fc54ff1173fb5383b5337c7/1606766578177/cycling_merit_badge_requirements_scoutbook.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc64cfe12facd59ced1d628/t/5fcd39d124c49707d32b2c1f/1607285201492/99455464672.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0e90c27a199023ab56552/t/5fc34381fa04221c71895fbe/1606632322499/baby_dedication_certificates_free_printable.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc548dcd26ff1194f90dc53/t/5fc637c6f81c9a2a0c773ff3/1606825927363/kuvesezeriwepebasifopi.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc19a8f40f1034a5caddecf/t/5fc4f29608845d09242567f4/1606742678554/33510037467.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/033bef99-2a2d-4598-913f-0bd5e236fbbf/bonkio_snokido_unblocked_notdoppler_unblocked.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/015058c4-b9bb-4e3d-9eba-0278fec39440/jobafelurexolagivosax.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d69f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD69F 5400 bytes
SHA-256: 9a7021e09e217fb464b819d92679548455b4d90113462eb8b2e1faafdad6246d
font_01_sfnt_off0000e904.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE904 16008 bytes
SHA-256: b6201a670e1ea47a6c37794bc488c7f355632d95cfc7d0db865f425c62b5efe1