Malicious PDF — malware analysis report

Static analysis result for SHA-256 41dabf94f5d1379b…

MALICIOUS

PDF

47.4 KB Created: 2020-10-27 05:35:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52df5565ea10a5c3a206c2095085b10c SHA-1: 5c32c41d42eaec6fea078141fdcbd00d2c27402d SHA-256: 41dabf94f5d1379b876bd656ebcad14bdedb2f95bd2630c83726c4a60c797917
234 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, disguised as a password recovery service. It also features a large number of links to other PDFs, suggesting a link farm or SEO abuse. The presence of a password-protected archive lure and an MFA lure indicates a phishing attempt, likely to harvest credentials or session tokens. No scripts were extracted, but the embedded URLs and heuristic firings strongly suggest a phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=find+lost+yahoo+password
    • https://kuvinonufero.weebly.com/uploads/1/3/4/3/134307364/87088.pdf
    • https://wozuwonasanava.weebly.com/uploads/1/3/1/4/131483955/pabetezujevusobif.pdf
    • https://viwuwobigoku.weebly.com/uploads/1/3/1/3/131378942/a0ea30303bc.pdf
    • https://tasozowi.weebly.com/uploads/1/3/4/3/134315408/jipanixewavugo_dijuvi_xudomagag.pdf
    • https://zebamejiwan.weebly.com/uploads/1/3/4/3/134312785/xezoreje.pdf
    • https://ruparowix.weebly.com/uploads/1/3/4/3/134350000/dacd20ecc514727.pdf
    • https://dapujevubo.weebly.com/uploads/1/3/1/4/131438680/nafexaze.pdf
    • https://sakukavazu.weebly.com/uploads/1/3/1/3/131379729/ramadu.pdf
    • https://goduvozimaku.weebly.com/uploads/1/3/1/3/131380582/6125758.pdf
    • https://bebamewikirebu.weebly.com/uploads/1/3/0/8/130874540/texumebelegavu-bajus-bosifowovoxij-wewawijonalik.pdf
    • https://cdn-cms.f-static.net/uploads/4418574/normal_5f9710438a4ae.pdf
    • https://cdn-cms.f-static.net/uploads/4375344/normal_5f8f43f530c2a.pdf
    • https://cdn-cms.f-static.net/uploads/4384820/normal_5f8d953d35fc5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/tetazino/dazipeluzenumovinuzinup.pdf
    • https://s3.amazonaws.com/mijedusovineti/zepananimipapotor.pdf
    • https://s3.amazonaws.com/felasorarabipis/61434334193.pdf
    • https://uploads.strikinglycdn.com/files/8c7607a2-6708-4944-8e8b-1a1da45b4682/povosomajatujofubagomik.pdf
    • https://uploads.strikinglycdn.com/files/5f710f4e-7f2f-496b-8753-45e16263d96b/glowgaze_movies_g2g.pdf
    • https://uploads.strikinglycdn.com/files/c847650b-bb97-4b9c-8eb6-20868365b12c/rolavarenam.pdf
    • https://uploads.strikinglycdn.com/files/46159f9f-9962-4d9b-8bf6-df355ea7b486/majim.pdf
    • https://uploads.strikinglycdn.com/files/86d07471-3f05-4bc0-adaa-08400cdfb527/moler.pdf
    • https://uploads.strikinglycdn.com/files/001ee0c6-4349-4771-9523-1f3799970334/21959859052.pdf
    • https://uploads.strikinglycdn.com/files/ac0e7c9e-7505-423f-865f-63e0e88acfde/45773113062.pdf
    • https://uploads.strikinglycdn.com/files/5782ad5b-5f30-409e-8d4f-72ce16f010bf/51031387171.pdf
    • https://uploads.strikinglycdn.com/files/ae468738-5fa9-4deb-8827-c83a525e46d2/24667160603.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d04.bin
e3390f87e033327e7e52aa782e939f9414e3895616076adf2c56fa7719deb64c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D04 4868 bytes
font_01_sfnt_off00007d8b.bin
b99eb3f8c6bf7ce1f5a2407c78db36f5d099d6b6f043c2e120c4815a73c6d013		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D8B 10592 bytes
font_02_sfnt_off0000a1f5.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA1F5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.