Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1c80102ab444ee5…

MALICIOUS

PDF

44.8 KB Created: 2020-10-25 09:41:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-01-23
MD5: e75afedcc255f74a892505e60be79594 SHA-1: 7f9293c6891c613518101b72429700c6e4edf026 SHA-256: c1c80102ab444ee51c996032702f43f4c0f0356cb9a5e151efd68942c0feeefc
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/aws?keyword=exercicio+de+atomistica+pdf In PDF document text
    • https://cdn-cms.f-static.net/uploads/4369651/normal_5f89a877ef5d3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381085/normal_5f8b099446b07.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366947/normal_5f8f5e2c9b936.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a6833f60-66c3-4ce0-8551-85ab3b993bec/rabitugopotalekaxo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/94c34c5d-8bd5-4b37-b9bc-4fd7256676fc/jazubamel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a84f8f3d-2ae7-45de-83ab-91fbd79c90bc/41431680866.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0463/0380/5600/files/58999193092.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0472/2914/1157/files/48620425925.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0492/8910/1468/files/daisy_red_ryder_bb_gun_parts_diagram.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/9000/1572/files/pokemon_sun_black_sludge.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0480/8956/3299/files/zimupivojiwotigade.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f41e5761-d040-451d-a38e-2b7ea5476bf3/miduwu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b038ca9-c94c-4ec1-b5e1-499126401eed/35465417016.pdfIn PDF document text
    • https://s3.amazonaws.com/paxivogedewilu/boriguzik.pdfIn PDF document text
    • https://s3.amazonaws.com/xarojapi/apraz_bula.pdfIn PDF document text
    • https://s3.amazonaws.com/xipavir/razebeboveginegeful.pdfIn PDF document text
    • https://s3.amazonaws.com/felasorarabipis/regevizin.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66a56c11-3380-4a06-9137-060405bbbff3/paquet_entrept_laiss_shein.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f8edbdd5-d269-4065-aad4-d57fc55c0e23/6915216596.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/00dcefbe-0631-4625-b5aa-56e14d043230/sword_coast_adventurers_guide_google_drive.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/275dfe73-363e-4a3b-91af-e147c8b63bb9/18369088258.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006eb7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6EB7 5292 bytes
SHA-256: b263a3f5338678126e8a508359fa1688d30455574027922ed1474e9888661778
font_01_sfnt_off000080aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x80AA 11284 bytes
SHA-256: c30f10c6bceeaf8f372661a908c3e7c4862da58b361fe523c2df234f4a983c7c

Open this report in the interactive analyzer, or submit your own file for analysis.