Malicious PDF — malware analysis report

Static analysis result for SHA-256 b703a1d8cdb4222b…

MALICIOUS

PDF

68.3 KB Created: 2020-10-28 16:06:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: cf28548bcb6ffc59e422863b28530ddf SHA-1: b6138f0e58ba49832d960a89226864a550a36bde SHA-256: b703a1d8cdb4222b9421d2793caa82cf362216ae0c0c980d2971ff1b29ea09ea
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=ghillie+suits+costumes In PDF document text
    • https://cdn-cms.f-static.net/uploads/4381318/normal_5f8e1ddc5d58c.pdfIn PDF document text
    • https://jodobape.weebly.com/uploads/1/3/4/3/134317169/wotuvif.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366313/normal_5f87a627e941e.pdfIn PDF document text
    • https://tenabawik.weebly.com/uploads/1/3/2/7/132710661/lopolirubaz-rasufadajego.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374700/normal_5f98767f17d0a.pdfIn PDF document text
    • https://korodaziso.weebly.com/uploads/1/3/0/7/130740443/mafebetaxujewu-vomiwapudapep-lezup.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00008d0b.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00008d0b.bin)
    • http://www.daltonmaag.com/In extracted file (font_03_sfnt_off0000f5e2.bin)
    • https://uploads.strikinglycdn.com/files/23d290c2-e6cb-4849-b5e3-1c6921ade309/luvofatopozorajapepewu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0286e5c1-9d58-4eeb-af9d-2d326539e14c/11107430899.pdfIn PDF document text
    • https://s3.amazonaws.com/toliwudalamem/answer_phantogram_meaning.pdfIn PDF document text
    • https://s3.amazonaws.com/roware/causes_of_rural_poverty_in_nigeria.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4f16a8cc-bfc6-4baa-8629-38ad880301b6/el_conde_de_montecristo_online_latino.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8c7042a3-51ab-4e11-9327-fbfbe2f85549/giguwarufox.pdfIn PDF document text
    • https://s3.amazonaws.com/gupuso/votoxunamoroxa.pdfIn PDF document text
    • https://s3.amazonaws.com/zuxadol/45645091297.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/70742140-366a-4d92-818b-265323d4e2f5/wulitaxipazalakirob.pdfIn PDF document text
    • https://s3.amazonaws.com/subud/great_american_cookie_job_application.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn extracted file (stream_005_off0000c504.bin)
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (stream_005_off0000c504.bin)
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00008d0b.bin)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000c504.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC504 28100 bytes
SHA-256: 548c3e9ebc6d32c335199423716c7768e8366c423eb5b6400f23f9356bfb74b9
font_00_sfnt_off00008d0b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8D0B 4540 bytes
SHA-256: b634defe395769d0ea448c67b844f36e7177ac367dd26247bf643b3d2f3beb73
font_01_sfnt_off00009c8c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9C8C 12404 bytes
SHA-256: d05ab431f2126b762884430fbf43232023ccbcb269645d3d9f774d51cff699d9
font_03_sfnt_off0000f5e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5E2 4324 bytes
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3