Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5b87164063e947c…

MALICIOUS

PDF

53.6 KB Created: 2020-10-01 17:02:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-04-01
MD5: 8cedd3a05be21c0a87980d627ab73023 SHA-1: 2d2c4182ccfe8b9796bea51daaf2c12fa0a4723c SHA-256: b5b87164063e947caa47e0f69962fea0d3b75400fd54973f96151e968269d52b
202 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=anaesthetic+drugs+doses+pdf In PDF document text
    • http://files.naturalhealthperth.com/uploads/1/3/0/8/130815026/sibimimimodutaxom.pdfIn PDF document text
    • http://files.monaghan.coralleisure.ie/uploads/1/3/1/4/131453950/xigufanubumigarin.pdfIn PDF document text
    • http://files.nlrtsa.com/uploads/1/3/1/4/131409017/kiruwoniwapusetetak.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/82556016-4f5b-4fcd-aa2a-5ce25c9cb4c0/78797030706.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c10469ca-84ce-44f0-809f-e54e8b253d1a/kexazomef.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8a44047a-402a-4a6a-bc36-833b89c8c75d/jotefuwilonoka.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e02dea8a-c3b9-442a-8578-aee026601d75/buxunapodutofipefonedagu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c454dc6a-a7d9-4512-b7f3-f760690c117c/29845275389.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7f389797-d39d-4d9a-b8aa-7adb7083f8c7/76779400360.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0366f06d-2f3e-4d22-a02b-70ba534cdada/dafivurorakatet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b2b733f0-a1db-42dd-9b05-9139eaea7563/vezenirovulinofewuk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/82405a82-f05d-415f-b929-190fff5764cf/girepuzesewaxew.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/41f8cfeb-3027-459e-9454-f16a35d309c1/zagoravutiwofidadoxina.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2c4b417f-492d-4753-ae9f-ea04e5df9ddc/56675476232.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/53575054-d750-4f0f-b600-2b5e01afad2a/nofazamivixojupax.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000086f0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x86F0 5372 bytes
SHA-256: 6f9f8b80188d12e85dc4b3f217b323170ca2ffe6b78589490a048f5c21079800
font_01_sfnt_off00009933.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9933 16000 bytes
SHA-256: 3c1b74bdb1ce436ff8e42672622633633ff78ec47d52f1319461b4ab364e0003

Open this report in the interactive analyzer, or submit your own file for analysis.