Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae8081a5bb6dfc16…

MALICIOUS

PDF

41.3 KB Created: 2020-09-06 08:43:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: ec8b82ed4800ef6ee07e7624fec4dac7 SHA-1: e30fdb4901a0750ec514bd531bfb4f120594e66f SHA-256: ae8081a5bb6dfc16e695ac50f112a3bb61bf7eaa441670ab3b30c12a6f32c93f
202 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=12+late+payments+on+credit+report In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static.usrfiles.com/ugd/98d33d_de4c0f5a36a941fb80eb0104001314c4.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/2b3f46_303431fce65644608850c1b2f94cac6f.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/7d21c0_8b268c63addb4a38af7e5602270bd93c.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/dbbfd0_1bd3e0d93dd643c1afa2584361259cfe.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/cc14e4_531f5a77581240d5870b6745d90d4376.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/02af14_2aa024987bae44dfb2497cb5233d0c98.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/3db607_fbae93570f1f4a008e1493df2886b007.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/d31907_4bfa077a91b3410aa0bb5c0489413f12.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/7a11b0_6018cc48ca0d4d9785ce4c8ae62be61f.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/55e2c6_0534c0754eb34aa0bf0cbaf975165708.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/8854/2872/files/20866943008.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/2530/0629/files/proteinuria_hypertension_guideline.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/7195/3301/files/pasuv.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/2270/2999/files/bond_variation_form_online.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0447/9241/4369/files/section_32a_of_registration_act_1908.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/1925/5456/files/bolabidajetixajevanegiz.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063d2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x63D2 5412 bytes
SHA-256: 347f5ac0cefacc7433403d46a7140cb690cfb2117420613dd9132ea1172d4a36
font_01_sfnt_off0000762b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x762B 10080 bytes
SHA-256: c883a18bb218d12173797ac8d0de095d40be36a029bd1bc143c82b04c2ccb859