Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebbf60c13cf519ce…

MALICIOUS

PDF

37.1 KB Created: 2020-10-27 02:47:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: dd585009a5ac99de3c5578c9f1812e88 SHA-1: ff19f5fdf999d1232ac7c0b6a0708e0d3af7f192 SHA-256: ebbf60c13cf519ce8421065c96dd46d1c3b450474d5c25cb828f7d9aa47bb72f
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=drag+racer+v3+unblocked+hacked In PDF document text
    • https://cdn-cms.f-static.net/uploads/4404297/normal_5f976968b9e2f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381762/normal_5f922622b0d83.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4401525/normal_5f92ca0055274.pdfIn PDF document text
    • https://gonerogad.weebly.com/uploads/1/3/1/4/131438616/7187f37695a.pdfIn PDF document text
    • https://wivupenoremew.weebly.com/uploads/1/3/0/7/130775018/5173378.pdfIn PDF document text
    • https://derodaju.weebly.com/uploads/1/3/1/6/131606282/876783.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366032/normal_5f8884ac5a485.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369775/normal_5f8910a481a44.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4382420/normal_5f9767f7a79f0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367303/normal_5f87df01f3070.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4405895/normal_5f968ec665bbb.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off0000512a.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off0000512a.bin)
    • https://uploads.strikinglycdn.com/files/33a00eac-8294-46b2-959a-21c24cdf9af9/fekoborunewimefo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2dce083d-1113-4bed-bea5-0daabce7e7b6/jotuvukolukaximarexa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51ce5814-7bb0-427d-ad9c-284b7f0eb0ef/83005809274.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8d1184ef-1e38-4357-838c-0234d730b216/20383667777.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01ef6773-e048-4463-8087-d9f261e1759e/35459071614.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b9c366da-89e4-4479-84e4-fa899bf63b7e/83620591147.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/69b8a090-0c08-46d3-a9e2-e8d2f96f3f78/62937226913.pdfIn PDF document text
    • https://s3.amazonaws.com/kavitokolezub/biological_causes_of_ptsd.pdfIn PDF document text
    • https://s3.amazonaws.com/pazifetanegapu/kala_bhairava_moola_mantra_in_tamil.pdfIn PDF document text
    • https://s3.amazonaws.com/tejuvonixag/xoguzara.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off0000512a.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000512a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x512A 5448 bytes
SHA-256: 3e66cfe7d71b3e2f53f0510d163748ef8943f453dea1a81b470899bf9311b412
font_01_sfnt_off000063ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x63AB 10632 bytes
SHA-256: c163b6536c72c96037233dc5cc22ac3aba99e913fba734ea24a72774958ad4fd