Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea2d4a6648425385…

MALICIOUS

PDF

40.6 KB Created: 2020-10-23 19:35:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-04
MD5: 6beb59fa9aab4068f70bcb8b42313c6d SHA-1: 90d6a8e8573753eabb557814f1a7c067db996843 SHA-256: ea2d4a66484253850f91388423232710ef96abbb8152ca23d28633fc71c0542c
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=visage+ultrasonic+cleaner+manual In PDF document text
    • https://cdn-cms.f-static.net/uploads/4367922/normal_5f891b10914d0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375700/normal_5f90464a8be8c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366034/normal_5f8700a2a7b10.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368486/normal_5f8e5496cdc8a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369782/normal_5f88a30455350.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365649/normal_5f8a68e31d53a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369633/normal_5f91d836c2252.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/3189b5e1-1372-4aae-96ec-4505452711c4/redazonusorufifefupegu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3e0b315b-b203-4b46-9534-e4cc0ec8b322/68070691820.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c96cf90c-31d3-4e8f-b082-0bbe8461cdc4/22207241370.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a297e80-6707-423d-8cc3-e42d94f51cb0/tisufibafaliranatafiwise.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ca37adb0-2f7e-4e2c-8d5b-300e37045c63/mesibizaropi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/948b8820-b4d1-4d36-9898-7694c06ffe6a/84414268673.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b7c3b878-8840-4fc0-92df-f841f11dc515/gawum.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/225376e4-990e-4996-9b11-7a39d33249a9/36694962463.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/1016/5416/files/37267615250.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/6424/8470/files/fullscreen_browser_android_app.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7777ec30-3dc0-485c-b964-1f15fc98aeb6/12336599270.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8b26201-7af2-4a31-9e58-9a29c7ffa03d/72176179339.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7d207ea8-b895-46c3-b09c-f93693360f4f/9662862510.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fdfb6804-06b8-4902-af00-09091e95c1c0/34756609944.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005eba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5EBA 5084 bytes
SHA-256: 2f72e9626a1e1caa8a4afdb0f840b0e8181bbd9618e5e30fcc2a384f44457869
font_01_sfnt_off00006ff4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6FF4 11096 bytes
SHA-256: 7bdc6a5a32720ac9164bbc048940665690cf5543494f6fac413e34c8acc88d32