Malicious PDF — malware analysis report

Static analysis result for SHA-256 a851bd8a59992477…

MALICIOUS

PDF

49.3 KB Created: 2020-10-15 11:14:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-04-10
MD5: 3f05c5d2b45665c52fd164b52df3aa30 SHA-1: 46fd1413941e75aee9b13ef19f1e04b17a04629e SHA-256: a851bd8a59992477d6f3539f4b54238e7666434b15de03d901c45079f6b60113
184 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/pify?keyword=puffin+web+browser+premium+apk+download In PDF document text
    • https://jakedekokobara.weebly.com/uploads/1/3/1/3/131381480/1d44b872.pdfIn PDF document text
    • https://kidunaxu.weebly.com/uploads/1/3/1/4/131437100/6916491.pdfIn PDF document text
    • https://gimejexoxixaza.weebly.com/uploads/1/3/1/8/131872185/novovuxosijuzuz_wofabunutigepuw_dugulelura.pdfIn PDF document text
    • https://site-1040286.mozfiles.com/files/1040286/kibivibo.pdfIn PDF document text
    • https://site-1039148.mozfiles.com/files/1039148/mugolavonudodus.pdfIn PDF document text
    • https://site-1036936.mozfiles.com/files/1036936/radebefodapupeteduduj.pdfIn PDF document text
    • https://site-1038412.mozfiles.com/files/1038412/37309969879.pdfIn PDF document text
    • https://site-1040321.mozfiles.com/files/1040321/jipusepitotep.pdfIn PDF document text
    • https://site-1039002.mozfiles.com/files/1039002/60063749598.pdfIn PDF document text
    • https://site-1036838.mozfiles.com/files/1036838/60165527224.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365553/normal_5f86f69fe16ea.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367951/normal_5f87b1954b671.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365649/normal_5f8709ea08012.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/c1984b06-b32b-4d98-b64c-f6296f5d8845/70342287611.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cbe591fa-52a5-45f2-bbaf-4900ccd40da5/bitugazar.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/82b94961-9faa-4517-93eb-4e3a5a537c36/maxumudas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f914be4c-2347-4f9c-a5cb-8eab0a436c7a/37873941287.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f668dffa-488e-4627-bda0-21e1f31b90ae/98936523860.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4e860db0-e257-452c-8c51-e71e6e2b1e9c/dudinib.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b2a0b988-3b94-4e99-9c81-7a7247cd0634/ziluzela.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c349a31-635d-40da-8d5e-c7aa21b637f8/57902229307.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070ea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70EA 5484 bytes
SHA-256: 2e67b9794e537233a0203a32c259e9750f1c7c169d6a197504cb34df92be1c96
font_01_sfnt_off00008379.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8379 3544 bytes
SHA-256: d1878b4518104f9afca73b3a7b965043d0bc2afbe1b23d8c4785c35bc7c98d57
font_02_sfnt_off000091f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x91F1 10816 bytes
SHA-256: 544b907a66e4de281becb7e6da381db0352c199a0a7a9f0854666300320734fd