Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8191f87e39d1b28…

MALICIOUS

PDF

70.2 KB Created: 2020-10-30 10:01:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: af9f03ab0b21689ba4399d8aa0416460 SHA-1: 8b01165f8145fe94175aa33dfd33719b052ce433 SHA-256: c8191f87e39d1b2899c0a0036b21e6dec3f5c69f8f86cd88433ff84706999e4b
254 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a fake CAPTCHA lure designed to trick users into clicking malicious links. One such link, 'https://gettraff.ru/aws?keyword=plazma+burst+2+new+study+hall+games', is identified as a malicious redirector. Another link points to a credential phishing lure hosted on weebly.com. The document also functions as a link farm, containing numerous external PDF links, likely for SEO manipulation or to distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://buveziketi.weebly.com/uploads/1/3/1/3/131398526/6882099.pdf.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=plazma+burst+2+new+study+hall+games In PDF document text
    • https://cdn-cms.f-static.net/uploads/4372378/normal_5f8acda7d6e91.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393506/normal_5f9adfe8bb78b.pdfIn PDF document text
    • https://buveziketi.weebly.com/uploads/1/3/1/3/131398526/6882099.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367294/normal_5f87e63bd9b12.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383321/normal_5f9891f3121bd.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://cdn.shopify.com/s/files/1/0430/3588/5721/files/73872601327.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0504/6747/1551/files/best_guide_book_for_assam_tet_2020.pdfIn PDF document text
    • https://s3.amazonaws.com/xozeb/atkins_diet_plan.pdfIn PDF document text
    • https://s3.amazonaws.com/jupevuxirapi/20517881923.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0268/8725/8289/files/ganezup.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0479/5413/3159/files/96111809865.pdfIn PDF document text
    • https://s3.amazonaws.com/rorives/weak_acid_definition_ib_chem.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0505/7196/8680/files/trade_marks_act_1994_sentencing_guidelines.pdfIn PDF document text
    • https://s3.amazonaws.com/guwutivupudutu/xawopilubetomiwumames.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/3761/4499/files/78977379053.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0478/0710/3143/files/11116392160.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c1af.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC1AF 5480 bytes
SHA-256: efc7d5de9cb234c4c0e173576f24e74251b2ab964f6d995ff50be0c77a300958
font_01_sfnt_off0000d439.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD439 11676 bytes
SHA-256: 0edc2232bd11befd7cfa8b4fe6fecea15edcccbb0701fd4900a53db0a4c87e8f
font_02_sfnt_off0000fb94.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB94 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378

Open this report in the interactive analyzer, or submit your own file for analysis.