Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec9cb5ae3b471312…

MALICIOUS

PDF

34.8 KB Created: 2020-10-03 10:40:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-04
MD5: a2bd2fb282d073f6ec23fdb1f4e101a2 SHA-1: e1777a515bd99f1af85e674291babab21ab9c257 SHA-256: ec9cb5ae3b47131217e3a0742a8f442ccb7db3fc8ab643cad4cd5f31a0444acf
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=maps+francaise+fs+19 In PDF document text
    • http://files.carynsbeautysolutions.com/uploads/1/3/1/3/131379296/ziriwetedobota.pdfIn PDF document text
    • http://fusegis.michaelphelannotary.com/uploads/1/3/1/4/131453870/7506544.pdfIn PDF document text
    • http://files.winndems.org/uploads/1/3/1/3/131383791/vesinobafigan.pdfIn PDF document text
    • https://site-1036969.mozfiles.com/files/1036969/defikavovobofesagudo.pdfIn PDF document text
    • https://site-1039948.mozfiles.com/files/1039948/95528727040.pdfIn PDF document text
    • https://site-1038771.mozfiles.com/files/1038771/zazonodasi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/6bf2ceb4-2258-42f4-a005-cb2fe547da12/xiwefanefidi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a72d8e53-2979-4589-ad6c-079e212d3e5c/wuxudigemogovebukafebu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6cf94822-a654-475b-a465-cfe34a61f960/11761246428.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4864f2a6-44a1-4a28-bad0-58ffecf61a85/lixutezumasanokiv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/23c31f8c-1539-4faa-90ea-055132d2c84b/54072615531.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2eb116cf-8820-4873-9cb8-dc6ec24f2a46/lugumuxudo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/07357684-4c90-47a3-a51e-d56615f9f920/fawiledowexuzunid.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/28be4395-e9c3-4e82-a518-d816905c5641/fepatifakexizegobileran.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3997b0ab-3282-4ada-a78b-d86331836203/3242331157.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/03c4185c-349c-44ec-ac1d-05024dd51779/vegevarubakasinivonubebaw.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a50.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4A50 5192 bytes
SHA-256: a84537443c367d0de2a998ae487d6eeae2f75da4a507da3ac2fe3b5a344fd21c
font_01_sfnt_off00005c19.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5C19 10020 bytes
SHA-256: 1c2f3c88d7a76e5d74f7a6eda2391897084adcd8176f44e066ced6e03b661997