Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6daab892cf8ceb2…

MALICIOUS

PDF

46.2 KB Created: 2020-10-16 02:49:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: 7cbf4b277b5249b600ca095b48eb5d2b SHA-1: 7e7b5ab0d3b56bd1cf96c363c69409190abba116 SHA-256: c6daab892cf8ceb2333c36d4a1c4b7b3aabe3a6be8963255e5eae49a29e7620b
214 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=bascule+rs+nand+pdf In PDF document text
    • https://site-1042106.mozfiles.com/files/1042106/change_management_case_study.pdfIn PDF document text
    • https://site-1039618.mozfiles.com/files/1039618/fotopuxegijejosi.pdfIn PDF document text
    • https://jukafubu.weebly.com/uploads/1/3/0/8/130874261/revowo-mutitikiva-wiwegovinajo-tuxatusejuze.pdfIn PDF document text
    • https://nanorobudilason.weebly.com/uploads/1/3/0/7/130775181/jilejobelado.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369168/normal_5f88df7830fde.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366367/normal_5f87701617a81.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366305/normal_5f88b8d5c3761.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366676/normal_5f872fc74c42f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367305/normal_5f87623810069.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366020/normal_5f874e627b25b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368788/normal_5f88d97731510.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366661/normal_5f8726b8ade3a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366359/normal_5f87f6d19d10c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366371/normal_5f872e2661b80.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367617/normal_5f87650c49f92.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0485/2072/4635/files/mekobunurudumisaten.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/7673/0528/files/p90x2_yoga_worksheet.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0500/8654/3546/files/43141178239.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0499/8666/6658/files/impact_of_colonialism_on_brazil.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6FEC 5200 bytes
SHA-256: f602110804722be6017c7b404d2c12629b76c37c8e4274e6ad5bd40f177f6493
font_01_sfnt_off0000819c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x819C 13208 bytes
SHA-256: 39fe7ac0d8c8fd146eb50080cfe068c00db6d58f3f13a86efd3efe25521e1065

Open this report in the interactive analyzer, or submit your own file for analysis.