Malicious PDF — malware analysis report

Static analysis result for SHA-256 e55ab51fdb0ef19c…

MALICIOUS

PDF

43.0 KB Created: 2020-11-01 00:44:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: c341776f1712d3c67ca22d45b6a8183a SHA-1: bfd96c8cb1239a80e434ee18068ef7e0bb87726c SHA-256: e55ab51fdb0ef19c44bd190235993eb5896ae6eb118babb3c32b27f6deccd074
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=einstein+on+the+beach+pdf In PDF document text
    • https://konibexik.weebly.com/uploads/1/3/4/5/134515119/vujolepomizoba.pdfIn PDF document text
    • https://vajemedodumuni.weebly.com/uploads/1/3/4/3/134351385/gekefal.pdfIn PDF document text
    • https://texitanoz.weebly.com/uploads/1/3/0/7/130739996/natubanewa.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off000068fe.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off000068fe.bin)
    • https://s3.amazonaws.com/felasorarabipis/44641139029.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0506/6666/8230/files/69967973912.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a091144b-d3f6-4f12-af60-09f6d6fa1438/57887582427.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b33f43ef-cfe8-4195-90ec-8d96bca794a1/3773150601.pdfIn PDF document text
    • https://s3.amazonaws.com/jeduzizonox/12444033576.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4487b77-fd11-4f5c-b130-b96fb23bf20d/jefakudafotobuziza.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0498/3160/8487/files/hobby_lobby_credit_card_login.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/24ad6834-246c-47c1-831a-54bc9b46d94c/68686476314.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c620ed95-e0a8-4db2-b6aa-4e5fc5a2c40b/40955752573.pdfIn PDF document text
    • https://s3.amazonaws.com/zetare/alvania_g3.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f558c1bc-3def-4bb0-b933-109cca83aab3/sigudijasigiwe.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off000068fe.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068fe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x68FE 5212 bytes
SHA-256: b1d3b1debe9a4cb99ca5cc44e0a0f0a1943e3cccc873c5dab96f87fdff0bc7da
font_01_sfnt_off00007ab7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7AB7 10808 bytes
SHA-256: 5070b3b14bb31e48610d3c2b367d333def941de382923de00a2b4c21c1900025