Malicious PDF — malware analysis report

Static analysis result for SHA-256 f422b4564bc9de0d…

MALICIOUS

PDF

75.7 KB Created: 2021-03-21 02:17:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0f32f0a2aabbc2ccc2d0d0452cf535d2 SHA-1: 9b71f6106c1b24aa360c8fbe999c2c2f9826fa13 SHA-256: f422b4564bc9de0d9dcc510dfd562f65af78d14f691844bc1760d074f447d48d
98 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • ClamAV scan did not complete info CLAMAV_SCAN_INCOMPLETE
    ClamAV scan on this file did not complete (ClamAV error (exit 2)); the verdict reflects only static heuristics. The result is not cached so a later submission will retry the scan.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/aws?utm_term=how+big+is+daggerfall+compared+to+skyrim
    • https://cdn-cms.f-static.net/uploads/4484143/normal_602c01949bc15.pdf
    • https://cdn-cms.f-static.net/uploads/4421939/normal_6020427b8fdb9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/fcf71288-1399-431c-8b03-e4edc0f78c5c/33503455072.pdf
    • https://uploads.strikinglycdn.com/files/84e92ed2-9a72-498b-bac3-4791a2422417/19883708619.pdf
    • https://s3.amazonaws.com/xurixado/damask_sheets_nz.pdf
    • https://67dec473-0a9c-497c-80b1-62a4c84c5046.filesusr.com/ugd/0aab01_258789ebddb14b4991b59c83d4eb5cab.pdf?index=true
    • https://uploads.strikinglycdn.com/files/571883af-108a-4ddb-97d3-e808c39f3a33/madufemevojeramevo.pdf
    • https://s3.amazonaws.com/fatikonavori/balance_sheet_meaning_in_english.pdf
    • https://s3.amazonaws.com/posaxugidut/39505470938.pdf
    • https://8c77b9b7-c39b-43d6-9406-6086bd2c0f93.filesusr.com/ugd/ee6770_f874d67e092a4d16beb71b6218e5645b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/eb66f54f-3e8d-4bdd-b5d3-09337533d8ec/ck100_key_programmer_manual.pdf
    • https://uploads.strikinglycdn.com/files/e0a64ed7-2485-4496-95d3-cb889494cd70/23233445391.pdf
    • https://e0271a52-a7af-48e9-8a99-924ce320ec62.filesusr.com/ugd/be5703_f790bb9f2a68471ebc99752939d4cce9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c9205066-6c6b-4261-a7e5-ac22ba0b864a/7414659105.pdf
    • https://uploads.strikinglycdn.com/files/5ef62402-3ccc-4a23-8479-5322ff8a1747/vekanibizumugadoni.pdf
    • https://c72a6d71-2fad-4f5a-8b7a-a7c165485bce.filesusr.com/ugd/a4966f_9de817440a644f798fc714f060979d8c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2c717d26-9f77-4a53-bc98-239c88560b5d/2378143048.pdf
    • https://c504e2ef-f928-4e80-b5b1-fc05046f432e.filesusr.com/ugd/247f25_ce1074f286ad46ddb12a4016eaddf0b6.pdf?index=true
    • https://a8a2d6b8-6248-42a0-90a4-e25e421c2e59.filesusr.com/ugd/f63f29_cb912d2bbaa7462ab55a8cdff35aa9fb.pdf?index=true
    • https://0306adf0-382e-42f1-903d-71c3961c97f1.filesusr.com/ugd/7ff653_38afd0a715f447bf97ed2a5d687b1ac2.pdf?index=true
    • https://e6c529cc-411f-4195-b5ea-7b5fd081490a.filesusr.com/ugd/b7ab08_ecc7b4abee8a486aa7d5cedfbe22253f.pdf?index=true
    • https://99442e0c-e188-470f-b1e9-a2082f9e7f28.filesusr.com/ugd/2274a7_e7c235c8df6c42708223c75646b4840b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bfd257c7-d9cc-4ed4-b7e8-49f5cbcb5aca/how_to_be_an_iso_9001_certification.pdf
    • https://3d73ec66-e24e-4607-99a5-aa3c333c10ea.filesusr.com/ugd/a96454_ca458230db4b4adda30541c7f5c761e0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e86a.bin
8fe71b75e845b39023c997902af1ea30eb3df2a8d2f754d310ea811b438670ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE86A 5836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.