Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa3218700b1eec17…

MALICIOUS

PDF

62.1 KB Created: 2020-10-04 07:01:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-04
MD5: 145e46e9f96ba0a77a708753688c427b SHA-1: e7ee81e22fc69b6256d6fbc6762df3959e771b43 SHA-256: aa3218700b1eec176612b8807a7acba9dfab0754284d4010816b14bcbb5bf775
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=pit+boss+pellet+grill+owner%2527s+manual In PDF document text
    • http://sebikudux.highsandhellos.com/uploads/1/3/0/7/130740151/pejotewajuxobumi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/9d123864-f4fd-475e-80c8-1d458e5f832f/simewuvopute.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b2f5795-712a-4150-a84e-721d18be0d65/sojizurinafulakuxode.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b7163b59-b799-4930-a570-0bcb61e2c13d/kosexelifuneda.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/57261663-bcd1-4b7b-9f7e-2f8e9309ebe7/malosenalodatajefimib.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cdcd52d9-5ce8-4682-b87f-296da8967c57/69798470473.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eafde5f8-2b0e-4cb1-b628-d84d6d18e32e/maxenemurekizilomevum.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ccdf9f4c-3199-46a1-93b0-5a159be728fb/52225537191.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/445c575c-ef36-43d8-858e-5009a9fa17f0/76023208240.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/40aa7d17-987f-4805-a2dd-e7dd7afef40e/nifimodexe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/206791ef-56c4-4162-9dbb-38bc416a1da0/vadanadawarunopu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ee8f949-9ad3-46dc-93c7-b0a5f0d3d31f/21091389743.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000900a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x900A 5288 bytes
SHA-256: cfa6e598d4e5653cedf79c386cd286f827e9f7244a2f101c8441017de3c4babb
font_01_sfnt_off0000a1ef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA1EF 5948 bytes
SHA-256: 6444f8bc0d6012e501525504cb40fc02b706283e19e8a504c964c2508e4c4615
font_02_sfnt_off0000b859.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB859 10836 bytes
SHA-256: b791aed5803d7eece0ae50e025407af41d6833f38fe83765f44ab3db6e2e5b3b
font_03_sfnt_off0000dd0e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD0E 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3