Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbc991752521a262…

MALICIOUS

PDF

63.2 KB Created: 2020-10-28 10:09:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-02-20
MD5: d4bd0a0d22e201f93cd54065e67435de SHA-1: e785093b2bc41469d9485f0e99eb8f353e596f96 SHA-256: fbc991752521a262a730eb56d57512b252a4cbf06979ba5f8eee0b53731c558b
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/123?keyword=rehabilitation+theory+criminal+justice In PDF document text
    • https://nipaxibovaj.weebly.com/uploads/1/3/1/3/131379211/sipegedesiridep-tipoxuje.pdfIn PDF document text
    • https://galavalo.weebly.com/uploads/1/3/4/4/134464717/dusejabow.pdfIn PDF document text
    • https://difiraboveju.weebly.com/uploads/1/3/4/5/134508976/lonifokedaki.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370072/normal_5f8bff64a481a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380228/normal_5f921508c7192.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/556f444f-cc3e-443d-9e15-3cc76f94cd40/vuwukotisesobalosu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/103a0e2c-f20c-4c43-9ea7-d8425e847e50/26158837400.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a545a21e-0a4d-4e42-992c-b63175c4c91a/banabiwizali.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ca4c037b-3e57-446e-9100-ae77715a0bca/vagudinav.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2dc8f3bb-db76-42f5-a689-1c9eff5c812a/pokemon_fire_ash_download_gba_rom.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/00142920-8041-4d69-abf6-201853917e44/devodajib.pdfIn PDF document text
    • https://s3.amazonaws.com/nimuwet/11186709874.pdfIn PDF document text
    • https://s3.amazonaws.com/gupuso/23183715100.pdfIn PDF document text
    • https://s3.amazonaws.com/henghuili-files/ziwifesufegejativ.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4ad7cb4-20a4-4764-9e45-a75ecc82a2f5/31477949311.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9b42fca0-a404-4b3f-86bf-57ea94013829/46225662687.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e861fd22-f0ca-4f2c-82fd-0c00a52491be/98898662818.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a1b2cd6-db23-493c-8da8-aba0d8960b41/40341735803.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/097bb550-574e-4163-8239-34b312d8a861/57324683153.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000c59a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC59A 24216 bytes
SHA-256: ebfadfdf90dace7ac2a294af4b2b9b72ca8f717e40d5b7c537d39c0b4fc5ea1c
font_00_sfnt_off00007791.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7791 6728 bytes
SHA-256: 48c705a0cb7fb5bc2a7762e0c652520b153fbf78da96eea9c562dd2470f27097
font_01_sfnt_off00008e9f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8E9F 5364 bytes
SHA-256: 90e3a54bf09c96882539b3760582b73d2e4108b8c78077b2df04bc070b97b198
font_02_sfnt_off0000a0b6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA0B6 10852 bytes
SHA-256: 020d41f9557e4fe4da9c871d4c61675af52a9a779b8a9571809f2bdf7b9e3ace