Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4f1c27da6cb3142…

MALICIOUS

PDF

40.7 KB Created: 2020-11-07 05:20:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: dab3182e2a2720b0c489ebd4234f11fd SHA-1: 552ee8ae9935745c7737dd37bf5a2df500e86542 SHA-256: e4f1c27da6cb31427605acdee30e127a1cca4c26131740e2e63262084e0e504b
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/aws?keyword=car+audio+speaker+wire+size+calculator In PDF document text
    • https://zewosesivate.weebly.com/uploads/1/3/4/5/134591998/49fd7f.pdfIn PDF document text
    • https://dogamoduxex.weebly.com/uploads/1/3/4/4/134481485/7196168.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae826351-670d-4dd5-9d3d-44836cf09b1d/75373963445.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac312500-3121-4d04-8971-e47eff586a59/69580584557.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a85f7724-d362-43a5-9cb0-510de3385548/nutazefobezelogadu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/69df63e8-0ce4-4476-8602-2d8b709b2aac/aoki_lapis_and_merli.pdfIn PDF document text
    • https://s3.amazonaws.com/sizadagazagaj/monosekajevumimukunoraza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/74b07204-e9b0-46e6-9519-874e8ae10dfa/74090096669.pdfIn PDF document text
    • https://s3.amazonaws.com/sukobogixe/dihybrid_punnett_square_practice_problems_problem_a_answer_key.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d362a67f-e7fa-4e37-ac4f-c0eaf399c855/67077214150.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/91b282df-b1d9-49fe-b773-f64aabdcd595/38914386025.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ff73d122-636b-48f6-a4d2-0a54a250de07/62220013850.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3ac72723-3dd4-4561-9b1d-d5601d53aa2a/problemas_ecuaciones_de_segundo_grado_doc.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/696892b7-c059-4a89-a408-538053ce5068/8_prayer_watch_hours.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ff98f32-013b-48f7-9ada-0ac652871634/14102316728.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e0616cb0-41af-4e81-8bf6-be616d34131a/lonipitofot.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da741830-d061-4cd3-ad5a-00514a4aff68/55026455748.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000621e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x621E 5176 bytes
SHA-256: 6c0d782a14dd233ce79ea05a93ef9e6cdf2328e32ca9b8d34ac70494b047e7ad
font_01_sfnt_off000073e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x73E4 9916 bytes
SHA-256: afa866e3d72917e0e730c6937572ef19c72c7a6c1969660fecf63aa54dc8eb34