Malicious PDF — malware analysis report

Static analysis result for SHA-256 e89f185f421531f6…

MALICIOUS

PDF

35.2 KB Created: 2020-09-19 22:41:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-03-31
MD5: 81d8984c563ce605e9db3eed7652f947 SHA-1: 897b7d31871fa081633a7e8518cd9505312f9102 SHA-256: e89f185f421531f69e6a5be6aabf9dd29b7e0b6d28f7da3176f6eb0b2f237dc8
184 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=bridges+in+mathematics+grade+3+unit+1+answer+key In PDF document text
    • http://files.mosineevolleyball.com/uploads/1/3/1/3/131383541/3238472.pdfIn PDF document text
    • http://nivemu.doinaalexei.com/uploads/1/3/1/0/131070867/regemenat.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://9e6550f4-46a3-4207-b4d3-b9d162d8d8d8.filesusr.com/ugd/49be48_661fd7504d5c44d2bbb179cd74b5770a.pdf?index=trueIn PDF document text
    • https://7790a336-1ab2-4ca1-8086-a2848473094a.filesusr.com/ugd/2c76f4_bf4c3a622e72436d8923647fde1f0dab.pdf?index=trueIn PDF document text
    • https://d96afde6-23aa-4e5f-b3e1-7609dbbd9c1f.filesusr.com/ugd/6a7407_d2a7f3e637304556bf9c07416a6b6ae4.pdf?index=trueIn PDF document text
    • https://580f23ac-158a-406f-93c9-d79829afb0d3.filesusr.com/ugd/b13fd1_56a754c003d840409ae1a3b4b64cb6bb.pdf?index=trueIn PDF document text
    • https://6effd2a3-667b-4455-8d76-b1a3f441f75e.filesusr.com/ugd/7598fa_f2da9d65f03241fab3bf195c3673e665.pdf?index=trueIn PDF document text
    • https://66e259b7-29b7-4486-97ce-524e0043327c.filesusr.com/ugd/0a0016_31acbe16d8c9459cbac28e9140b35cf9.pdf?index=trueIn PDF document text
    • https://c122a882-de49-4116-988f-338791757065.filesusr.com/ugd/cc03df_70a46d0ce0ff466da0d6d366b0e9e62e.pdf?index=trueIn PDF document text
    • https://61c21a81-ffbe-4e34-9763-edb3c6061a68.filesusr.com/ugd/41a0b6_1c67c3b02bba4820a9daf2410344f17c.pdf?index=trueIn PDF document text
    • https://563304bb-9c67-4852-9001-bd8291d876c8.filesusr.com/ugd/82d61e_91c564c25ef446a49aa8e2cafb84f48f.pdf?index=trueIn PDF document text
    • https://df7a2c21-13a1-4929-8e84-9917587d856a.filesusr.com/ugd/565485_8d73ce472e164f8da399624b84be9528.pdf?index=trueIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/6006/0567/files/rusavidodimotawep.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/9879/0301/files/arapa_reniyorum_kitab.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/4259/3189/files/98714255365.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/7845/1349/files/new_hire_onboarding_process_template.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004880.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4880 5844 bytes
SHA-256: f699f2e9afd46c71ec97a454b345d1d6560c45cef1384a00e94eca973230a113
font_01_sfnt_off00005c5e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5C5E 9860 bytes
SHA-256: 369ff04e27da0c4eebce585117e9e2277bfb09d041c40fa5e12a05638b946eb2

Open this report in the interactive analyzer, or submit your own file for analysis.