Malicious PDF — malware analysis report

Static analysis result for SHA-256 ddf3d197e4e0f5a5…

MALICIOUS

PDF

40.2 KB Created: 2020-11-07 11:04:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-01-23
MD5: 5a9c316aecbc551056ad234118f6de3f SHA-1: a22b556ae9be6d70cac53084bf428fb94c712e46 SHA-256: ddf3d197e4e0f5a5eecce8b5b18d2f1c9e713604c808fcd6f2d1ca7e739f6b8e
126 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?keyword=teen+idols+4+you+actor PDF link annotation
    • https://jakedekokobara.weebly.com/uploads/1/3/1/3/131381480/4918653.pdfIn PDF document text
    • https://tedomidile.weebly.com/uploads/1/3/2/7/132712102/34dc5019.pdfIn PDF document text
    • https://jidugurulepapol.weebly.com/uploads/1/3/4/3/134310086/bojopovuwawawa_tixodax_nivusuvawi.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367271/normal_5f87abf4014de.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366324/normal_5f8786ad554e9.pdfIn PDF document text
    • https://juragubiv.weebly.com/uploads/1/3/0/8/130874328/03fb1a04.pdfIn PDF document text
    • https://tikofasej.weebly.com/uploads/1/3/4/6/134615027/jadetuzodifoporeten.pdfIn PDF document text
    • https://mumevifovamix.weebly.com/uploads/1/3/4/4/134486033/woxibog.pdfIn PDF document text
    • https://bameveba.weebly.com/uploads/1/3/4/1/134108569/0dc29df52e.pdfIn PDF document text
    • https://lipowuripipu.weebly.com/uploads/1/3/1/3/131378852/21c8f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/65bfa02f-f31b-427b-a1ea-5737a56e3997/pho_and_roll_menu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/764021ca-4f8a-4905-8ee7-de9a97fe196d/les_poux_sont_de_retour_mot_parents.pdfIn PDF document text
    • https://pekitum.files.wordpress.com/2020/11/final_destination_3_download.pdfIn PDF document text
    • https://gusakura.files.wordpress.com/2020/11/luwipovafim.pdfIn PDF document text
    • https://regetus.files.wordpress.com/2020/11/the_crucible_lesson_5_handout_10.pdfIn PDF document text
    • https://pokavatirog.files.wordpress.com/2020/11/love_nat_king_cole_sheet.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x49E4 5072 bytes
SHA-256: 2db5a0061263a7a374a85d35f9f33b424578688f4f7cff20aa6486f01ce68508
font_01_sfnt_off00005b3f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5B3F 10476 bytes
SHA-256: e5b6798fab9c020b354d7c6c7a79e80f8d063d244faf69b073a9edb837d64751
font_02_sfnt_off00007eda.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7EDA 16120 bytes
SHA-256: b8fa99db91b4e2a38fb01ca4f8dfd1970d271bfdaf7323161a8b02e369b8fc98

Open this report in the interactive analyzer, or submit your own file for analysis.