Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6dad89d9a107705…

MALICIOUS

PDF

42.3 KB Created: 2020-10-28 21:18:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: abec05f84d12a596e17dda1caf53b0a7 SHA-1: 9c41e0a7a8f3596e09f852ceb489f121bfac9ad2 SHA-256: b6dad89d9a10770534f09877c96c2d4f5d97616a287abf791e728fd7f2d8e015
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?keyword=reported+speech+exercises+pdf+advanced In PDF document text
    • https://jawasolasazilem.weebly.com/uploads/1/3/1/3/131379174/d1ee3c84.pdfIn PDF document text
    • https://gudojovevisepu.weebly.com/uploads/1/3/4/3/134314990/4056092.pdfIn PDF document text
    • https://mesifadenox.weebly.com/uploads/1/3/4/1/134108947/gawuja.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off000050e5.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off000050e5.bin)
    • https://uploads.strikinglycdn.com/files/25fe3ae0-0568-418c-b174-7d491de91e77/68327880144.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ee528e8e-093a-49a9-b076-ad6a2a08a7eb/elite_dangerous_occupied_escape_pod.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8cff4207-7aed-473d-a8b4-6dc3c1b2a9e8/sojuzaxuvudadimid.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf70e445-91ce-4770-aea0-4e87446ea5f7/rijafep.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/8184/4886/files/colchester_middle_school.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/2912/2200/files/esl_worksheets_for_adults_beginner.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0496/3991/5671/files/39440998621.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/0031/4039/files/ieee_802.11_ac_physical_layer.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0504/9774/9154/files/logaxigumunabusadof.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0501/5289/8739/files/international_journal_of_breast_cancer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9365b050-54a6-41d2-b10f-73175f45e898/9587124638.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9fcd2254-ea86-48b2-9cd1-ce35cb0a375d/nakewurikolerivif.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0498/0890/0250/files/terraria_1.2_4.1_download_apk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8725f50b-76d6-4db4-aa61-83e3fe1f8d12/32837768417.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/265f00d4-bc8f-457f-bc11-858fe6b6161e/92965921353.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c254bec-dd0d-4ff6-907a-d938555ec721/dijagona.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0505/1111/8507/files/padad.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8cfc6079-a88b-4907-a265-9ff49c3486c4/22401009862.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4b1a00b0-8516-4f69-bd8e-c7af729764e3/atheist_books_amazon.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off000050e5.bin)
    • http://dejavu.sourceforge.netIn extracted file (font_02_sfnt_off000086ce.bin)
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (font_02_sfnt_off000086ce.bin)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000050e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50E5 5348 bytes
SHA-256: 1752d0744035d503b580535accc2589d73c049b67f356983db8609441f5089ab
font_01_sfnt_off00006320.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6320 10448 bytes
SHA-256: ab71366b2608daed9593ea236629197d52364798edfc0adcaadd69bba3be7d90
font_02_sfnt_off000086ce.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x86CE 16096 bytes
SHA-256: 3bb08857b08983a257d5a2052628e18542fd51c8d29f5bbef87ea8b8ace00841