Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9cc37c579579785…

MALICIOUS

PDF

52.9 KB Created: 2020-11-09 02:54:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-01-23
MD5: 0d071e504781dabf14c5c383cfa05b93 SHA-1: 1e553e1890bf4e88ab5fba9b93ebee5e803c1771 SHA-256: b9cc37c5795797854877c8ec2acc52b86e93b5041942181abdc084fc83a07363
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/123?keyword=civil+rights+and+liberties+worksheet In PDF document text
    • https://zalawevovupat.weebly.com/uploads/1/3/0/9/130969727/5196672.pdfIn PDF document text
    • https://tojewenegekov.weebly.com/uploads/1/3/4/5/134502344/nabixa_jifewe_kipixalomuvet.pdfIn PDF document text
    • https://tadeganerusoza.weebly.com/uploads/1/3/1/4/131438541/sipinonigepaxiguxofo.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/ec378760-60ed-4656-aa9f-4c4f0379d2a5/nfl_redzone_verizon_channel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c6ad71ff-a928-4872-a736-231b7217cdd9/14321627370.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ff097f03-92b4-49e8-9533-613c0b16c2a8/68517241624.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ffd164e-1a74-47d4-97e8-0dfd685e3bbb/74274245122.pdfIn PDF document text
    • https://s3.amazonaws.com/mejados/30528686337.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c33f40b4-1719-4e10-98b6-e09258c44e2d/72935917944.pdfIn PDF document text
    • https://kebupud.files.wordpress.com/2020/11/16674380217.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6015500f-8128-4757-9e64-acf092c2f33c/gezixukavutu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5c4db165-3d94-4f8d-8bee-ddacf1dc7d23/wuvuvesudero.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ff7920f-fb10-468f-8329-d08ffdfbfbee/one_piece_episode_875_english_sub.pdfIn PDF document text
    • https://noxedax.files.wordpress.com/2020/11/verugigasojusewos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae231480-ff42-437e-ab79-65693e7892bd/52242820633.pdfIn PDF document text
    • https://s3.amazonaws.com/fuwenoxuzasila/nevada_middle_school_nevada_mo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008365.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8365 5252 bytes
SHA-256: f5e888e62a4f24923e9e761d1967781c0336be07818ac52d1a68102d705bdd77
font_01_sfnt_off00009548.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9548 10284 bytes
SHA-256: 3134d4f03ea776d334c29593f76e7eb6ecd0e718b1febdda7eeaed1c3384b7f1
font_02_sfnt_off0000b816.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB816 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c