Malicious PDF — malware analysis report

Static analysis result for SHA-256 c41f825011092ff3…

MALICIOUS

PDF

180.9 KB Created: 2020-11-20 05:50:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: f1c4dfe96631dd1d05631b9416c28da8 SHA-1: 125aee3638e8ba9cb4376f6383d2a3a10a862a0e SHA-256: c41f825011092ff3a1864edf9cb4748c6a3a95f89d2875da3b408a61b56dcc4e
154 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file routes users through malicious redirector infrastructure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9731

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/123?utm_term=tsubaki+nakatsukasa+birthday In PDF document text
    • https://cdn-cms.f-static.net/uploads/4425768/normal_5fa8a5553a253.pdfIn PDF document text
    • https://fofexajadovobu.weebly.com/uploads/1/3/4/7/134711713/dixumawutuve.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421333/normal_5f9fd246bb238.pdfIn PDF document text
    • https://donudokenib.weebly.com/uploads/1/3/4/6/134695728/591e0.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://s3.amazonaws.com/waxejajinigafu/tekesugonelipukerasazu.pdfIn PDF document text
    • https://s3.amazonaws.com/sepawi/karuppusamy_kuththagaithaarar_movie_song.pdfIn PDF document text
    • https://s3.amazonaws.com/megulu/credit_risk_management_thesis.pdfIn PDF document text
    • https://s3.amazonaws.com/zukogi/57006172684.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5566039d-4262-4e9c-a504-8ec85c86a36f/8933076013.pdfIn PDF document text
    • https://s3.amazonaws.com/felasorarabipis/20141293974.pdfIn PDF document text
    • https://s3.amazonaws.com/xufaxoferugod/21165107126.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc7ddff9-1bbe-41c8-9281-bf5aa9776016/rovekirizitubepuzupi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/21710d84-406d-4fc5-bd86-1390a2309009/lusojora.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001db59.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1DB59 39552 bytes
SHA-256: a437f43adc3396101a71184841b0faf6f66efbcf1b720c38fdd37eb8993fdd10
font_01_sfnt_off00025329.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x25329 5136 bytes
SHA-256: 8a62a079e8ee651528c34f93dca752b0e53c9ab71ce35ff2fc33c45922f0b157
font_02_sfnt_off00026497.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26497 2316 bytes
SHA-256: 1f4ab3dc7109b145c55e010206da44dc5b766b523135897298ed1d8498437569
font_03_sfnt_off00026e7b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26E7B 5852 bytes
SHA-256: 0460e4b819836684ee646564f23d3767bfcf5407a742f126e14b557faf704447
font_04_sfnt_off00027d32.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27D32 16208 bytes
SHA-256: c5e42bb4b01acfb43879b1a331e0e1bc008d95e61d51101713328b36a001efbc
font_05_sfnt_off0002ac8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2AC8A 16452 bytes
SHA-256: 807f1481ad4350a8bdeaf390df8beb275f50ba1858a39b836b80f17cddad538d

Open this report in the interactive analyzer, or submit your own file for analysis.