Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb906cd01ddfb89d…

MALICIOUS

PDF

46.6 KB Created: 2020-10-25 20:22:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: 4ba25349f8ec31498ea7ad01f41372f1 SHA-1: b8295173c6bd87297765490e10e7f8ced7807c03 SHA-256: eb906cd01ddfb89da0fad3d08435e9691d8bed939dadb68012eceef1cddcbd76
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=free+keto+diet+for+beginners+pdf In PDF document text
    • https://cdn-cms.f-static.net/uploads/4369782/normal_5f8b02d4abcaa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375071/normal_5f9456ce50fdb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386618/normal_5f93b75b24085.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388040/normal_5f906ae266c0f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386080/normal_5f91c6e06dc7e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369305/normal_5f8de407aee75.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367303/normal_5f916702f2ed3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381318/normal_5f8c9ac8c1db6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379038/normal_5f8d36f68bf92.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00007680.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00007680.bin)
    • https://uploads.strikinglycdn.com/files/602e46f4-251c-4711-96cf-3d490e6654dd/sarrainodu_2017_movie_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2c8be6c2-7a50-47cc-8a63-e6b4a29d3e23/jisaxakoxefatuxekepiduf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/36d036a1-7f8c-4691-bb27-6d00dfd46d8e/rexulisifi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/847f96f1-ae3b-44f0-ac5d-a58a41ce3d78/tanewime.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0498/7859/7790/files/48839443211.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/6211/6008/files/6104055765.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/9749/8793/files/honor_8x_android_10_update_date.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0499/8791/1830/files/binen.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0504/3870/1206/files/jazz_piano_lessons_for_beginners.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a644bb2-8604-42de-a142-c8a1250b3f58/ejercicios_modulo_de_young.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5c51ee40-52c0-49d3-a0a6-dcf6b0d23d5c/87554974827.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/12636901-7169-48eb-b931-68ae88b305c0/44278988941.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/faa6b76b-2c6f-4d8c-8254-51355220379e/duxinororilexarudali.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e9285b14-0f2b-4c1c-81de-3487dbd2a3bc/29899172182.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/81f1c6c5-c806-4b6c-85b7-f7d566b07aa1/51816418528.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8734d7b9-286b-41d8-9c10-3e8d1e2100a5/39409014464.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7b2efbcd-4ceb-42e5-8d19-06c036273631/sazisuve.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a17a2345-ab4c-45f9-a743-00d2dce4906f/flli_menegatti_jewelry.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1656cbe3-eca9-4c59-bf3c-86ba5e0848df/23274015325.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00007680.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007680.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7680 5128 bytes
SHA-256: a3882f3b168e1f8e1fc0bf7f3269425275db03240f3eacda5449af086c86c0c9
font_01_sfnt_off00008807.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8807 10772 bytes
SHA-256: 09a89756e8acfa9828eb153b572a4cce1c737fcf198849086ae1ffee8142a4fa