Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b33e6c249acf565…

MALICIOUS

PDF

48.5 KB Created: 2020-11-02 00:03:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: 47bc0c9450eaa7ffa56991d8225642c3 SHA-1: efdad86b070cf71ede7726c1b686ca74f96135d9 SHA-256: 2b33e6c249acf5656ae57239b90c0f2a8c92c33304efcd283091ae0db4cbc698
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains heuristics indicating it is a malicious redirector and a credential phishing lure impersonating Microsoft. It directs users to a malicious URL, which likely leads to a fake login page designed to steal credentials. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://nipufijupetobug.weebly.com/uploads/1/3/1/4/131482996/b2e508ab.pdf.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=hotmail.co.uk+sign+in+login+uk In PDF document text
    • https://nipufijupetobug.weebly.com/uploads/1/3/1/4/131482996/b2e508ab.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379380/normal_5f9155db2c029.pdfIn PDF document text
    • https://diveziriluro.weebly.com/uploads/1/3/4/4/134447321/2404c8697.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369932/normal_5f90ac25c13bd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369334/normal_5f946ae223b8f.pdfIn PDF document text
    • https://jaketomerinojox.weebly.com/uploads/1/3/4/1/134109184/xuxipovurerufu-kigapusudapem.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367921/normal_5f8a114b629fc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368478/normal_5f887e1d93e26.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac373c3c-9e40-4fcf-b5d5-97abd620c622/97628895019.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0501/9795/4743/files/esl_reading_lesson_plans.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/3068/9984/files/kinemaster_pro_mod_full_unlocked_apk_2020.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0507/3879/0591/files/lezusitalezebiso.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/7164/9960/files/viessmann_vitopend_100_who_manual.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0268/8650/4626/files/61451017446.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e3a73c4f-6090-4b31-be80-e500cc784a3d/17856831451.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0491/8145/8598/files/mosemakebubot.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000688a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x688A 5080 bytes
SHA-256: d724c395f6e8edc055450b94d137e97663f0591d9caff18c5468cc2e951c2228
font_01_sfnt_off000079c1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x79C1 11184 bytes
SHA-256: 3c83e74756c00a7d9e95806395c108698c9018e9b69167d6ebcca0d88edfe0f5
font_02_sfnt_off0000a023.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA023 16088 bytes
SHA-256: 700ff7bf493bf9bab5e7bd19ce07725d6ad682c9ec1bd4c381fbd4d74ba1924a

Open this report in the interactive analyzer, or submit your own file for analysis.