Malicious PDF — malware analysis report

Static analysis result for SHA-256 de7bf636e96faba2…

MALICIOUS

PDF

44.0 KB Created: 2020-10-20 15:29:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-01-15
MD5: 4c9654244afd436afbd888e79a3462c0 SHA-1: 4a5fee2543f4a6f7435d6fbc1ff2e284034dfafa SHA-256: de7bf636e96faba21382bbb092db2d0d5c962e69f5ba7b6918bd96772580bd25
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=white+rodgers+programmable+thermostat+manual+1f80-361 In PDF document text
    • https://cdn-cms.f-static.net/uploads/4381962/normal_5f8bc5a400d95.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365646/normal_5f8863e3b797c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369645/normal_5f8968249848b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367313/normal_5f8ce102c31d7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365576/normal_5f89ced940aa2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366063/normal_5f8705774e0fb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379491/normal_5f8ed00eca377.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0498/3449/2071/files/32165088545.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/6304/0413/files/download_apk_root_android.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0496/6491/7661/files/comment_apprendre_la_guitare_basse.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/049a3105-3cdf-423c-ba28-871c172c6ba8/31651950768.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/364fc204-e5ed-49bb-bcea-c786e1821369/8539389885.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1daf14c0-13df-4952-925a-2ba5a203bf0b/95773109152.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cd0b2746-af8c-42b0-86b8-056ca9bdbf00/96316621219.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0499/0359/9774/files/download_habbo_hotel_apk_android.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0479/1586/0134/files/loquendo_tts_paola_apk.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0500/6268/8427/files/qcm_atomistique_paces.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060ac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x60AC 6344 bytes
SHA-256: 6811b493ad3957fd1b9cf8a0b1f476b2d090ced61bba82b03ed4fe10466e36e6
font_01_sfnt_off00007634.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7634 14416 bytes
SHA-256: fb408cca3ca6ba8407cb3cc31a547b7067161e7bf67a6af0199d5776611fdb03

Open this report in the interactive analyzer, or submit your own file for analysis.