Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea24105945d9c9dc…

MALICIOUS

PDF

47.0 KB Created: 2020-10-01 06:45:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: db65ced58600dc399788bfe5c97804a7 SHA-1: 29e68cbd2d337151c2895d14957167e5f7fa0c8e SHA-256: ea24105945d9c9dccf651daaa6172c860cc0a8e222be37b108f68edbe62d8716
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=atrahasis+epic+pdf In PDF document text
    • http://duloj.labcharter-pto.com/uploads/1/3/1/4/131406821/838d70f69030.pdfIn PDF document text
    • http://dekajupe.chadlehrmann.com/uploads/1/3/1/4/131437508/bobupusonugoza.pdfIn PDF document text
    • https://site-1036830.mozfiles.com/files/1036830/21610164275.pdfIn PDF document text
    • https://site-1036907.mozfiles.com/files/1036907/tujanidobebaxalidewa.pdfIn PDF document text
    • https://site-1037204.mozfiles.com/files/1037204/xozejap.pdfIn PDF document text
    • https://site-1037203.mozfiles.com/files/1037203/bulofebelepisafux.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/5f34d04a-1deb-4dae-9a1b-33d6e241b679/70234940768.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/706e7e37-35d5-4a28-b8ab-026a95cc7e65/tojalofenaviwa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf162227-32c3-4999-93a6-320cc01c93e4/99532623744.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/02c1f7cf-b109-42c1-abaf-9d18536d5caf/12333192729.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7fc86943-7027-4924-9ac6-918a570f71fb/80799647059.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a6f7bc0-2f3e-45ae-a73d-444d34a3d9fa/73281212505.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f3688bb-ddbc-4f5e-97c7-318c2af1c0b9/38998355762.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/448f4426-4f8b-49d4-bccc-810f5aae1df0/ninelaju.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006eab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6EAB 4772 bytes
SHA-256: 5379df954b947933f936f298609ab16e7f5155fcb230aa10c16ea0f9883aad6f
font_01_sfnt_off00007eee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7EEE 10084 bytes
SHA-256: 0de5f40d7226d5d02b1dd9e3b9693820cec3a15e1c709917efb252a40a00fdb4
font_02_sfnt_off0000a17b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA17B 4324 bytes
SHA-256: 7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71