Malicious PDF — malware analysis report

Static analysis result for SHA-256 febae1a2d86be998…

MALICIOUS

PDF

44.8 KB Created: 2020-10-28 17:37:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: dd229816a40f2a05662597f2bb7fe994 SHA-1: 1f8d3a957bd1e497e63aec605fcc62d5adb9d525 SHA-256: febae1a2d86be99833a36937eb32dffda28c5dfb4e8e004fe3f60116bf8feacd
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=hick+hop+upchurch In PDF document text
    • https://cdn-cms.f-static.net/uploads/4413121/normal_5f96c19a1bf53.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387586/normal_5f9355e5e17f9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369901/normal_5f906977da10a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4404727/normal_5f923590e5a90.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366043/normal_5f86f8c46aff0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380384/normal_5f8dfcd739936.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391015/normal_5f8e949fef45e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368265/normal_5f898936c031e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407813/normal_5f92678d6d63a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371261/normal_5f8fb1f479ba7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375341/normal_5f89cd4d7e540.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367305/normal_5f8b294c1e7ab.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off000071ab.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off000071ab.bin)
    • https://uploads.strikinglycdn.com/files/4c6a4cb4-59ec-47b4-b48f-8e699cdcc99f/24166321084.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/71a3db5a-2d80-49a4-97d3-33e2b8b7fa5d/i_ready_central_learning_games.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0480/4372/0868/files/free_editor_tool_download.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/1155/3473/files/47861456364.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/9625/1810/files/widute.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb0d7269-328b-4481-9a7f-ba665c123873/momud.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0501/9713/5541/files/mukagafirasodelinebazumin.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92dd6f36-cbf3-4856-806e-bf742486f05b/zunolurerifazubeb.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0494/6827/6903/files/maui_jim_stingray_polarized_sunglasses.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/3882/5887/files/67935846730.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0268/8588/2048/files/philips_bipap_v60_manual.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off000071ab.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x71AB 4624 bytes
SHA-256: 645b48786a3da415b75ccfed241d5e93a1103d6cce953a81af0efe6d06bb812c
font_01_sfnt_off00008163.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8163 10724 bytes
SHA-256: f67ccac4dceecdf6364b17a3a204f112a2c992b07760955525ca093a4e5f15f0