Malicious PDF — malware analysis report

Static analysis result for SHA-256 c59a248d1dbb3e14…

MALICIOUS

PDF

49.5 KB Created: 2020-10-13 01:28:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10
MD5: 44d4435befd0ab4aeb53f88fa2b8a801 SHA-1: ea15935b0529309ec63f77f024425f55eb2f04cf SHA-256: c59a248d1dbb3e14575090bcf56f2a59ea464cffa378d232699ad8497e7814a1
234 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=mac+android+adb+not+found In PDF document text
    • http://files.predictivetrial.com/uploads/1/3/2/6/132695813/mososunixa-wizafojimir.pdfIn PDF document text
    • http://files.tedxucr.org/uploads/1/3/1/4/131437172/c6b1161ab4.pdfIn PDF document text
    • http://jejuved.teamtruebelievers.com/uploads/1/3/2/8/132814930/bunedev.pdfIn PDF document text
    • https://site-1038675.mozfiles.com/files/1038675/15064304626.pdfIn PDF document text
    • https://site-1039129.mozfiles.com/files/1039129/lunojosubodo.pdfIn PDF document text
    • https://site-1038913.mozfiles.com/files/1038913/juxapaxoxivajalej.pdfIn PDF document text
    • https://site-1038810.mozfiles.com/files/1038810/86960786525.pdfIn PDF document text
    • https://site-1041926.mozfiles.com/files/1041926/28152442647.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/7405/0458/files/blue_lily_lily_blue_download.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0499/9918/4022/files/vadaluzak.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/8402/9351/files/only_love_today_rachel_macy_stafford.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/8719/9394/files/kisod.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0479/9640/3871/files/31568857449.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c17911b8-83ee-4525-abb6-e8bfc6e9f69c/tezopovuva.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/61a0bdfa-162d-45a8-88d7-56c6990ff1ae/32428910573.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/701ad115-4f0a-4477-9062-8e26312d4a0f/92430958942.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/54a4b135-72f9-4c06-be75-2bc8021c693b/44244252355.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb2d6f07-b1e9-413a-aa90-9680112b97d3/32165837760.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b0a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7B0A 4952 bytes
SHA-256: 4ed93c96d6254db6e46f6fb8f1b38818c00cf2c027828de77f555debfe667a74
font_01_sfnt_off00008bf0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8BF0 12392 bytes
SHA-256: 219a607a381245ea7d1d3d1d4fc0aa313aabaeb38c29621bf17c6eef65b0700d