Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc9206226fdc197b…

MALICIOUS

PDF

41.4 KB Created: 2020-11-07 04:22:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-01-23
MD5: 2210bcea9cb5e477b4b1e14814984e6a SHA-1: 771e9d8f8eeb00e5b6551d00853e1ffff29a9023 SHA-256: bc9206226fdc197b533d5a4c513f36531028d1e0e1b1b8d30644d82695c8bab1
66 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?keyword=monster+arena+rewards+ffx PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4387704/normal_5f8db34b75778.pdfIn PDF document text
    • https://vimiwegom.weebly.com/uploads/1/3/0/7/130775837/335308.pdfIn PDF document text
    • https://dokipodaj.weebly.com/uploads/1/3/4/3/134306773/fuxewiruxetin.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383451/normal_5f8f633830964.pdfIn PDF document text
    • https://kuzaloxamuw.weebly.com/uploads/1/3/1/4/131406684/rofoweje.pdfIn PDF document text
    • https://suganolorifumu.weebly.com/uploads/1/3/0/8/130814011/raberuvemosuki.pdfIn PDF document text
    • https://fadusoga.weebly.com/uploads/1/3/0/7/130739873/wemovoxorim-jukekese-xofekewuzozu.pdfIn PDF document text
    • https://warasogufav.weebly.com/uploads/1/3/4/4/134440103/kovupedu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4425915/normal_5fa2eec087223.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d7ec1a8f-9fe6-4260-b4ae-44ad172c041a/toyota_rav4_workshop_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/baxekojojexusol/maroa_forsyth_school.pdfIn PDF document text
    • https://s3.amazonaws.com/wizuluworafid/51261697417.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01a2347e-794a-459a-a33d-666a20990f7f/tevigewavo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3951e5d3-cdb5-45f0-aee3-be4144547f15/mavic_pro_owners_manual.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006244.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6244 5032 bytes
SHA-256: 4c6afc9fa074f699933fa51172d155c8535a4a29615c23852e93ba8cde020c07
font_01_sfnt_off00007393.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7393 11192 bytes
SHA-256: 22ea8d3636b9f7bf39ce713a025ae37bac007e793d1f5aa2b037c8d1ec33acdf