Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f66360c461f999e…

MALICIOUS

PDF

41.5 KB Created: 2020-10-19 05:41:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 59750dac8116f3b85177b0014e49cef4 SHA-1: bb5cd246eb76727b6fbcdf8892dfcfeed5657b35 SHA-256: 4f66360c461f999e1992164e841c064377fee6faeb4b9babaed8dd8baf841581
152 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, including one pointing to known malicious redirector infrastructure. The document body text and embedded links suggest a lure related to 'union bank mobile app apk', indicating a phishing or malware distribution attempt. The presence of many external PDF links also suggests SEO manipulation for traffic redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=union+bank+mobile+app+apk In PDF document text
    • https://cdn-cms.f-static.net/uploads/4379230/normal_5f8a53b52af6f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374185/normal_5f8cb6769212f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370528/normal_5f8a0376d8a03.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369333/normal_5f89148b9dcd3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366044/normal_5f8715744b1a2.pdfIn PDF document text
    • https://papunagaku.weebly.com/uploads/1/3/1/3/131384156/4677352.pdfIn PDF document text
    • https://walijogopabo.weebly.com/uploads/1/3/0/7/130776167/5300225.pdfIn PDF document text
    • https://kilutiwoxit.weebly.com/uploads/1/3/1/6/131636983/b08370999.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369516/normal_5f8cb5f656608.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367640/normal_5f8bab451dc8d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369654/normal_5f8815488cf68.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373241/normal_5f88ed5fc51d6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367645/normal_5f8bbb9d7b4ce.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/9135/6568/files/falefozelexanu.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0498/0601/6674/files/tekken_3_game_install_apk.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/9159/8754/files/kejoxixasesa.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0440/6332/6358/files/32836377308.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/4574/6838/files/27416910099.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0500/0029/8144/files/android_textview_html_formatted_text.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/5844/8534/files/nudogidupativ.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/8175/5560/files/finding_nemo_barracuda_wiki.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/1805/4555/files/87466646067.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c46.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6C46 4592 bytes
SHA-256: 18dd691718beceb396652dd7132f77203bc12da56cc22d4829af7e8f867517c9
font_01_sfnt_off00007bbb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7BBB 10380 bytes
SHA-256: 899174d5b89de49b178464f03c06fd877567615c4c94453ff964d1803e92f8d3

Open this report in the interactive analyzer, or submit your own file for analysis.