Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce3be84fd8857ad1…

MALICIOUS

PDF

43.0 KB Created: 2020-11-01 19:00:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: b00ffb257e3ed351f9b72c2759a7008d SHA-1: e0010942fe68ec4af7c1aa7c0f1e9f94c052181c SHA-256: ce3be84fd8857ad1891fe6f330b693a878d1628e28ff47fafe8f4dfb8f096698
194 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link impersonating Yahoo for credential phishing, directing users to a redirector URL. The ML classifier strongly flagged this PDF as malicious, and heuristics indicate it's a redirector link designed for phishing. The embedded document body text, though heavily obfuscated, contains the target URL and other benign-looking PDF links, likely to blend in.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://dutitujazekap.weebly.com/uploads/1/3/0/8/130814390/sosuzadi.pdf.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=bt+yahoo+mail+sign+in+login In PDF document text
    • https://dutitujazekap.weebly.com/uploads/1/3/0/8/130814390/sosuzadi.pdfIn PDF document text
    • https://mupibidegupek.weebly.com/uploads/1/3/0/8/130874042/xatuxuz.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/bajuse/axolotl_cuento.pdfIn PDF document text
    • https://s3.amazonaws.com/tetazino/learn._javascript._ru.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/95e54983-1727-4491-b781-fc834009f622/micro_onde_samsung_me89f_notice.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d17531e4-5387-4db0-8bc3-533a9c6dbe1e/minecraft_loom_patterns_recipe.pdfIn PDF document text
    • https://s3.amazonaws.com/padadutiseni/guxoxavibidumukujalunov.pdfIn PDF document text
    • https://s3.amazonaws.com/nitajosasa/27772243037.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/2766/3514/files/bojowox.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/5933/9673/files/just_for_today_aa_june_15th.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e25bd5b-8d17-4be6-bd09-9e3fb8f7cbde/43789704667.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0479/2487/1335/files/free_download_poweramp_full_version_apk_without_root.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0501/7219/9087/files/thank_you_korean_gif.pdfIn PDF document text
    • https://s3.amazonaws.com/tixedujegibex/60386977063.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3dbd9371-3d9f-426b-a8e7-8be4269690b7/69915994765.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a18.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6A18 5152 bytes
SHA-256: b9e82fa7dd8c1a4982eb2e9d156fa87b505b9880486a0efe940e6df45cd5eb35
font_01_sfnt_off00007b86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7B86 10920 bytes
SHA-256: dd82bff8692f4d81b9a0989af481f5d2de5f5216b0f677e37df686ab6f296976

Open this report in the interactive analyzer, or submit your own file for analysis.