Malicious PDF — malware analysis report

Static analysis result for SHA-256 3acf8941e795b3b7…

MALICIOUS

PDF

50.8 KB Created: 2020-10-26 17:56:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-25
MD5: 252852bf384126422f8ec92b39096163 SHA-1: b708bac7f585c8372d6850ffb8d228e06d33edd1 SHA-256: 3acf8941e795b3b70988d178d125db8e5b2f5f7c9c11d18b0c16e3f77f8ec01b
214 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=police+recruitment+application+form+pdf In PDF document text
    • https://bukusafirede.weebly.com/uploads/1/3/4/2/134266240/c8cb6f446ea9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374189/normal_5f89a1c2d82d4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369330/normal_5f89ebf432179.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383475/normal_5f94a3278d2b3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371523/normal_5f8b792bef374.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368970/normal_5f951a6e99994.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367004/normal_5f875b022a809.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393016/normal_5f8e9fc6a70fb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/xilasisefi/kuburoreb.pdfIn PDF document text
    • https://s3.amazonaws.com/pazifetanegapu/50182796529.pdfIn PDF document text
    • https://s3.amazonaws.com/lupuvogotog/61130106315.pdfIn PDF document text
    • https://s3.amazonaws.com/mijedusovineti/wozoriguzuzopiw.pdfIn PDF document text
    • https://s3.amazonaws.com/subud/71803753568.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/63ca3886-596f-4e4b-aa1c-464e0bfa0b9b/45501884531.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a34a34e1-49a8-4574-99da-d83849634f6c/rovavamogafusuzede.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/83dfabf2-7f84-4a05-bc35-748116207867/mefoleropemiwe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/33155dcb-2b34-48c2-87b9-285b5879cd78/41825358520.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/acafbf99-0890-4c48-9a4d-44078a38f9c2/11541236223.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/35d789f4-7819-48c5-bad0-bec01c4dfce7/desusozigu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2886193d-b9cc-4bd8-ba96-9e9625bb54ab/nekam.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000078f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x78F2 5004 bytes
SHA-256: 3d20c14f0c3400feeb2348f3925c43c35e81f7952e4a9cc43471eaf0a79b6672
font_01_sfnt_off000089d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x89D1 11220 bytes
SHA-256: 202b5231f4d8b7145f635f482f39f52d6b5a637bb6e9408e4dd15f4c3544639c
font_02_sfnt_off0000afac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAFAC 4324 bytes
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176