Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1a63d2949a8e64b…

MALICIOUS

PDF

39.4 KB Created: 2020-10-08 00:04:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: 435ec30d0160f68b9a0b850ffb117d82 SHA-1: a7c473ff1e33c8de742a01ceb09c218fa8c4f66c SHA-256: c1a63d2949a8e64b966bf9e972efb795cee13f639e7487cd6fc3831a3434ae3c
214 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/pify?keyword=show+box+free+apk+ios In PDF document text
    • http://files.townsonsmithdesign.com/uploads/1/3/1/3/131379696/5923255.pdfIn PDF document text
    • https://site-1036756.mozfiles.com/files/1036756/xuxexojujulebeminel.pdfIn PDF document text
    • https://site-1039838.mozfiles.com/files/1039838/legesutopedifomerexu.pdfIn PDF document text
    • https://site-1042988.mozfiles.com/files/1042988/gubijitesubizexozagatus.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/da2da994-a78d-41e1-8784-c404f91b0267/4186087823.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b9f02b8e-9ede-4639-a154-a1d4935931fd/bonepipafumaleludoxenenoz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f02733f1-a909-4385-9ba4-16473010edec/lukawozebe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4cb9d90b-0186-46e5-891d-bd9b851ecaab/xiwemumu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f7fd4210-2db4-4734-a572-a9f1b828a7ce/jijusu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/94f9e994-a565-474c-9944-78611d73f1e4/rixakatevewafo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/21984246-4e3f-44b3-ac69-356274a43c7f/zoliwojopotul.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4ab0edf6-8aa2-42f8-b808-561b3e6bb2f2/limusibarijelabolexemij.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ca25732f-ccaa-431c-b5cc-b713a208bb8e/36129222251.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005cb6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5CB6 5424 bytes
SHA-256: dd2b508eb4cd60c2b03a5264adfa4a6885435aa5956aa57cb80d70e8a200d4a5
font_01_sfnt_off00006f34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6F34 9932 bytes
SHA-256: c5f355752467767a50abfd33a76c56f651dcdcf883a8a3301ecfd0a7fa871bd6