PDF malware analysis — malicious · 043121880c48fc66

MALICIOUS

PDF

37.5 KB Created: 2020-07-28 02:31:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a0671251bc3e686fe10073d4a146a77e SHA-1: a1793dd6bf688a586968edef424fb464a3fb4722 SHA-256: 043121880c48fc669901adbf99c6439021e47dddf466bb107740d8bbf6afe8b2

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to a redirector service known for malicious activity. The document body, though heavily obfuscated, appears to reference music and the authoring application, suggesting a lure to disguise the malicious link farm. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=blessing+shumba+all+songs
- http://files.wornworx.com/uploads/1/3/1/4/131437770/fugekatukos.pdf
- http://files.jasminmujanovic.com/uploads/1/3/2/6/132683289/ed66a096d6.pdf
- http://files.electaylin.com/uploads/1/3/1/8/131871602/duferov_vimoga_lomibe.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0432/3796/5979/files/65387093827.pdf
- https://cdn.shopify.com/s/files/1/0434/0118/3397/files/64577993735.pdf
- https://cdn.shopify.com/s/files/1/0432/3740/8936/files/pamusujafu.pdf
- https://cdn.shopify.com/s/files/1/0431/9870/9918/files/zetosudupirepebefemize.pdf
- https://cdn.shopify.com/s/files/1/0431/8360/3873/files/73090648929.pdf
- https://cdn.shopify.com/s/files/1/0431/8475/0747/files/62036442332.pdf
- https://cdn.shopify.com/s/files/1/0436/8692/0347/files/31984002503.pdf
- https://cdn.shopify.com/s/files/1/0430/3152/7575/files/95132454714.pdf
- https://cdn.shopify.com/s/files/1/0435/4650/9461/files/40940845198.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/57379697448.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000056d3.bin` `347c7981f7102a57983f5d6408d5e4a09e3d4c8b6043f91a1eac6b47b79e6666`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x56D3	4992 bytes
`font_01_sfnt_off00006795.bin` `4cff2407b7d2dc572ed5e2fd3adb22992a560c221356a3de78d536f971e11f90`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6795	10184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.