Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e8b5fcf2e700a81…

MALICIOUS

PDF

211.3 KB Created: 2020-11-27 20:25:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 366a76676f91e5e509b004e76c60e98b SHA-1: 2d45962418def73d5d02b522b62e2701aab53ec8 SHA-256: 3e8b5fcf2e700a81855e22951ec53710d88c0af3e0760b4c3b92e0f6c59e4c5a
124 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://traffine.ru/123?utm_term=vanilla+guide+addon'. This indicates the document's primary purpose is to lure users to a potentially harmful external site. While no scripts were explicitly extracted, the nature of PDF redirects often involves embedded JavaScript to facilitate the redirection.

Machine Learning

  • Nyx PDF Classifier clean score 0.2245

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/123?utm_term=vanilla+guide+addon In PDF document text
    • https://cdn-cms.f-static.net/uploads/4427504/normal_5f9b8737d3340.pdfIn PDF document text
    • https://dutitujazekap.weebly.com/uploads/1/3/0/8/130814390/7971455.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368732/normal_5fb35127774a6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4450430/normal_5fbb43abb156e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387919/normal_5fa0101660eaf.pdfIn PDF document text
    • https://babilazumi.weebly.com/uploads/1/3/4/6/134666759/vesigovolilode.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • http://www.indictrans.orgIn PDF document text
    • http://www.thdl.org/http://www.thdl.org/TibetanIn PDF document text
    • https://s3.amazonaws.com/foneniz/hamlet_machine_franais.pdfIn PDF document text
    • https://s3.amazonaws.com/bulozor/anthem_javelins_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/47b33151-8b53-43a5-9341-18315eb43173/66947414867.pdfIn PDF document text
    • https://s3.amazonaws.com/juvetaso/2.3_rotations_answer_key.pdfIn PDF document text
    • https://s3.amazonaws.com/nuselufuzo/global_warming_greenhouse_effect.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlTibetanIn PDF document text

Extracted artifacts 23

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000136e5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x136E5 8020 bytes
SHA-256: 4ef2f0c76c73aeb36a6e844c92e2f05700031d9068db02623bd9d894b4ad6fed
stream_013_off00023fc1.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23FC1 40392 bytes
SHA-256: f02363aa38a71251adec86f8fc10dde586cb66f9012ee722ea2e91563b761c1c
stream_020_off0002e481.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E481 3052 bytes
SHA-256: 12f1aa3c7fdace01a7979bca638230f400ea15e3425d752073521a1c193befbb
font_00_sfnt_off00012cb7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12CB7 2272 bytes
SHA-256: 83c65db0afadede794802186c75190c9f7dc912af7da6b1c26f354ac82b2c317
font_02_sfnt_off00014bec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14BEC 3692 bytes
SHA-256: 3888f2ba3d58c0d74ee37253b695118744f9403d02eac2018b01c4dc3c48ad0b
font_03_sfnt_off00015931.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15931 34056 bytes
SHA-256: 528b33e7e67b9032c1427bad14339466e5206f2d11cd19b250e9a14207f494b1
font_04_sfnt_off0001bf1f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1BF1F 4684 bytes
SHA-256: aa837366509275d2c15cdd68d38551f20e4e481f26f04da087383ba71cce69fa
font_05_sfnt_off0001cf25.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1CF25 2460 bytes
SHA-256: ac04cedc1eb4008a3af77f5e33cdab2aa3bfb3fbbf275a64ff48059ab5dd57ae
font_06_sfnt_off0001d9c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D9C9 2592 bytes
SHA-256: 5d7bccfd47e10599184e74e04b9822a9df04c67870ce239c1cc9670e6c431c66
font_07_sfnt_off0001e3df.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E3DF 2092 bytes
SHA-256: 2af366858a5f99999b2f6001e3e58a9d6cc5f9d08a942dfc3b521814b22209c0
font_08_sfnt_off0001ed29.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1ED29 8924 bytes
SHA-256: 7ddc192dd15c9e0d636580b3b0dda4646f0510fee454fb589ae3874ccbe4fcd0
font_09_sfnt_off0001fee3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FEE3 7596 bytes
SHA-256: 26998cba3a444806b1c0a2732790026b3f7a2cef73a8a3ec58013c33051cf6dc
font_10_sfnt_off0002130f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2130F 13560 bytes
SHA-256: fbfd677edcd18d2fa2e5f7428613b692ac31a81ac6babc6db8347ce968c5f09e
font_12_sfnt_off00029b0b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x29B0B 7708 bytes
SHA-256: 0c8fbec70426647df798ce2c88224ca368b21a9f2dcdb081c7193a56b03eb1e2
font_13_sfnt_off0002ae7b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2AE7B 3956 bytes
SHA-256: 573988b24a83cf2a29428edea61f574400c4c642115e27ad38449b093eff8124
font_14_sfnt_off0002baac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2BAAC 3204 bytes
SHA-256: 094bce1f33c0223341100044284f2795f46b0b41a893a0fbbe2cfec517a9f5b6
font_15_sfnt_off0002c6ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2C6AB 1820 bytes
SHA-256: 5bb7d878a19ca802f5be88322d9b0201625327411903d6756433f9cae9bf80f2
font_16_sfnt_off0002d019.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D019 3924 bytes
SHA-256: 6f7877e077d6f4fe67a4dd35c074e506768ef268872b0458067f2a85973453db
font_17_sfnt_off0002dc3f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2DC3F 1636 bytes
SHA-256: a9ad9ad0a96fe26ac6797df49b1e626b392e9366165fda36ca18888fb22e3261
font_19_sfnt_off0002f02d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F02D 2848 bytes
SHA-256: bede9a916fa3474aa7cee2c6a7f587300cf360f8f8d853a340c13d9cda9237dc
font_20_sfnt_off0002fc73.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2FC73 6880 bytes
SHA-256: 1dbb7ed0cd3be4f640a9fa585597dbcb389197a40be30c65c1c3c6bea7ea0a50
font_21_sfnt_off00030df2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x30DF2 9976 bytes
SHA-256: 1d8898fb4cca919f2222c9904d9b1456510b318df81c3ba93b51aedf377b9a52
font_22_sfnt_off0003229a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3229A 9100 bytes
SHA-256: f044f88422513d7b2357ad66fb32fde06b113844937b1973fa0d0c245f5a39b9

Open this report in the interactive analyzer, or submit your own file for analysis.