Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5226f33e61cb27f…

MALICIOUS

PDF

47.2 KB Created: 2020-10-26 23:20:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: 2581ae27917a075e929b43d538d7fc07 SHA-1: 11b483ddb29b399e67623e055437a3ec3e0b4966 SHA-256: e5226f33e61cb27f88377a6d840f697f32b90cd47509621d477f2ed63bf70cb0
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/123?keyword=fry%2527s+first+300+words In PDF document text
    • https://cdn-cms.f-static.net/uploads/4368229/normal_5f8c9621e2670.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00007b0e.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00007b0e.bin)
    • https://s3.amazonaws.com/vidadaviwal/99364496851.pdfIn PDF document text
    • https://s3.amazonaws.com/donake/bigamy_under_ipc.pdfIn PDF document text
    • https://s3.amazonaws.com/xanebavifamopez/samirovujabu.pdfIn PDF document text
    • https://s3.amazonaws.com/sugowubuf/insolvency_and_bankruptcy_code_2016_icai.pdfIn PDF document text
    • https://s3.amazonaws.com/farezelof/26675095235.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a95f061c-3b38-4b72-834d-fa3ac8e28ed6/imagenes_de_ere_especial_para_minha.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/23ebde67-801a-47da-8220-40bc5a0b858c/30168253923.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/165c6ef5-5d0a-44f4-9653-07bd17240ca8/7883843464.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a17d7535-acf9-41ba-84a7-a32801870a34/71865493784.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/89c2bf80-863e-48aa-b4ea-34e2fa7992da/mejolosol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa494dff-e2ae-489b-8b69-dc77b694b1f0/fukakulevoledevugetijisu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2f4b17fc-0a99-41ca-b264-9930b70058ff/besteker_hd_1080p_user_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/81047458-afcf-48f1-a4e5-b411bd2481a9/55339690789.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/09b3a2bf-6c01-4c6e-bf7a-560f2bfcfdeb/lakomalil.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ddc73377-f5da-4f94-a455-dd1bdc488a16/watch_suits_season_3_episode_4_online_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5906c8c4-6929-4d50-920b-d1a3d0ee6fd2/81888387678.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ddefae31-7df0-4a0f-ba89-09ee897db3f5/gulukobetujubo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b42cafe5-6093-46d1-b72a-b366c2f66328/to_whom_it_may_concern_letter_sample.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/4122/9470/files/madudotimefoxepiwiv.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/7686/8514/files/mp_police_si_syllabus_2020.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0476/7481/8726/files/rujaxita.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/5462/0059/files/roripinipomukawa.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/8050/6773/files/lofizajexemotitosevulo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00007b0e.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b0e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7B0E 5148 bytes
SHA-256: 4821d00e84663302a5448f64a74d8b659ee498cf3c6574d465c073f83f4c7bc7
font_01_sfnt_off00008cc4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8CC4 10148 bytes
SHA-256: de946d128314829e7cc34f112abdb7fe89dea92a65872054e95c5534a42a2175