Malicious PDF — malware analysis report

Static analysis result for SHA-256 f96a9b62adca5944…

MALICIOUS

PDF

57.6 KB Created: 2020-10-08 02:04:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-17
MD5: d0a77eb1109a8fcb80f244b11eb571bd SHA-1: 946b274b020f0cf69b920d1e4f49f2728ea03596 SHA-256: f96a9b62adca59442ad7cb177484f29a77f4e2aacb262654957dc781cef51a77
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=top+down+bottom+up+approach+pdf In PDF document text
    • http://wafogo.custercadet.com/uploads/1/3/0/8/130874426/c556d2bc7d14e.pdfIn PDF document text
    • http://wojodo.1kcshop.com/uploads/1/3/0/7/130776445/jenuvivazufag_xetalifafozulor_wuwev.pdfIn PDF document text
    • http://files.xcelitek.com/uploads/1/3/1/6/131637271/484ef2d.pdfIn PDF document text
    • https://site-1037188.mozfiles.com/files/1037188/suxow.pdfIn PDF document text
    • https://site-1040359.mozfiles.com/files/1040359/70955488311.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/9844/2401/files/julius_caesar_act_4_and_5_test.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/0367/7341/files/82460635463.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0479/1484/4327/files/danmachi_memoria_freese_wargame_guide.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/7590/3392/files/triamcinolone_acetonide_baby_acne.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/3779/7799/files/fugepaxurubefakojosejemuv.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/1782/1605/files/phat_di_lac_coi_ca_chep.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/7760/1946/files/20768235442.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0440/9245/7112/files/miyuki-chan_in_wonderland_characters.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0496/7884/4068/files/acuity_golf_clubs_yellow.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/4396/6104/files/sony_ps3_universal_remote_code.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a429.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA429 5368 bytes
SHA-256: 6564dc5d355c8a27c033b6de74d9662c89fb38e0ec69ddfe119c242fe90a5dc2
font_01_sfnt_off0000b64a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB64A 10176 bytes
SHA-256: e749991d491b6d9ab6a01ee1cfa71931103b24784395e08af6fb7deef2fbb851