PDF malware analysis — malicious · 0953615e58871d5b

MALICIOUS

PDF

75.1 KB Created: 2020-12-30 08:24:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7214e3aafa7d5cf870f373efd1a21ca0 SHA-1: 9828667d5a3cb5749bc7ecf1fd338cfb4e2d95c7 SHA-256: 0953615e58871d5b4b13b7267c6c6fe146165a7fbbcebace902068016d9c02a1

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains embedded links and a document body that attempts to trick the user into downloading a file, masquerading as a game download. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, with one pointing to a suspicious URL that is likely part of a phishing or malware distribution scheme. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafffi.ru/123?utm_term=gta+5+apk+zip+file+download+for+android
- https://lefedatit.weebly.com/uploads/1/3/0/7/130776734/2635202.pdf
- https://nidiladidubupa.weebly.com/uploads/1/3/4/7/134753920/2309a54d.pdf
- https://cdn.sqhk.co/walumupo/gejcjje/toca_life_vacation_apk_mod.pdf
- https://filafibiwi.weebly.com/uploads/1/3/4/3/134316544/xujiwixaw_wazure.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/8a0a41a4-f860-43f7-9ad7-79589a1fedc2/53067133953.pdf
- https://uploads.strikinglycdn.com/files/b6bbf6a7-a0b1-4af3-8dd4-3ce9cb48f038/nukavajik.pdf
- https://uploads.strikinglycdn.com/files/def76fb8-8d5f-4212-b031-f5553417ae6d/12819718193.pdf
- https://uploads.strikinglycdn.com/files/e2e218ff-821d-4e2c-b407-ece032f41358/82712624104.pdf
- https://uploads.strikinglycdn.com/files/65c86873-f9a9-46ec-abf5-631b6219c7f1/dozululelokiduw.pdf
- https://uploads.strikinglycdn.com/files/d46c93ed-9b83-4f95-b4d0-79c1cac01404/2122253889.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e945.bin` `e7638f23042336ae84b0aa2a4a8d7a3463ddc61bf53b4195ca7aa33ccefd570e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE945	5220 bytes
`font_01_sfnt_off0000fb43.bin` `ca757ade366ea30f57aef03f92b067ce0e1822cdef94c096995eecb85dd07896`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFB43	10740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.