Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1f8721aec591ee8…

MALICIOUS

PDF

50.4 KB Created: 2020-10-14 21:52:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-19
MD5: 2d2ef6b7d81267a47619a00c64bc180c SHA-1: 64805349b32ab09588b3ae49cb9381082dbf0d12 SHA-256: c1f8721aec591ee8e530966651c56008722c88884832aca7921fc6836af02d89
264 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=fastest+android+web+browser+2020 In PDF document text
    • https://pivozedotafi.weebly.com/uploads/1/3/1/0/131070355/9cd53e3d8b3.pdfIn PDF document text
    • https://vuzevarezevarot.weebly.com/uploads/1/3/0/7/130740461/detusesusixer.pdfIn PDF document text
    • https://dimaxafazeza.weebly.com/uploads/1/3/1/4/131453031/2697538.pdfIn PDF document text
    • https://site-1039695.mozfiles.com/files/1039695/zelojanojetazazujixixevol.pdfIn PDF document text
    • https://site-1043120.mozfiles.com/files/1043120/95726397693.pdfIn PDF document text
    • https://site-1042619.mozfiles.com/files/1042619/88166904568.pdfIn PDF document text
    • https://site-1039270.mozfiles.com/files/1039270/33327948799.pdfIn PDF document text
    • https://site-1042276.mozfiles.com/files/1042276/vukulaxebunefuxug.pdfIn PDF document text
    • https://site-1041579.mozfiles.com/files/1041579/61837580809.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/4271e6cb-cbed-4e1a-bfa4-1ade5fabc490/86560185106.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9172aa71-89b1-44ad-8f41-adf37190ab3b/sedago.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/945ce7b8-1c33-4fd0-9c01-299aa4a74b5c/44988407098.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/6447/5299/files/how_to_spell_8.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/2273/2445/files/watch_skam_free_online_season_1.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/0217/0008/files/wuweguleze.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/9528/8744/files/real_steel_full_movie_mp4.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0441/0998/7992/files/2645897268.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/3158/5180/files/isaac_newtons_three_laws_of_motion_worksheet.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7A95 5036 bytes
SHA-256: 960e6ffaea459201d64aefb0b1b5e2bb6a7121caa739135c9fa079303b4fde71
font_01_sfnt_off00008bc1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8BC1 9996 bytes
SHA-256: 27064189b0d7934d6b56b01fa4386cbad2cf39fc30cfc852fc80697904aa0f86
font_02_sfnt_off0000ae0b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAE0B 4324 bytes
SHA-256: a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f