PDF malware analysis — malicious · 0cd8de788703fb6f

MALICIOUS

PDF

41.5 KB Created: 2020-08-26 17:54:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 08033211cf74c759795b37103c476460 SHA-1: dd1fbccc41df11b76312cf6c5597b7a89d1278a1 SHA-256: 0cd8de788703fb6fddb4719d8db0e4198323d1e2324e6b294272734a3bb462d7

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains a link that redirects to a known malicious domain, masquerading as a torrent download. This is further supported by heuristics indicating a malicious redirector link and a link farm. The ML classifier also strongly flagged this PDF as malicious. The primary IOC is the malicious redirector URL.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=finding+dory+torrent+download
- http://balupuv.claudiacomerci.com/uploads/1/3/0/7/130739678/ece470df0.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://cdn.shopify.com/s/files/1/0430/7773/0464/files/57269085382.pdf
- https://cdn.shopify.com/s/files/1/0431/9943/0815/files/92912269863.pdf
- https://cdn.shopify.com/s/files/1/0433/6409/0006/files/juganuwonogopi.pdf
- https://cdn.shopify.com/s/files/1/0429/5580/0732/files/gokebunotebevukafosaz.pdf
- https://cdn.shopify.com/s/files/1/0434/6619/5106/files/bezixizowepufekagop.pdf
- https://cdn.shopify.com/s/files/1/0438/8945/9368/files/vivivulekatoxorerabiko.pdf
- https://cdn.shopify.com/s/files/1/0428/0002/1667/files/91456419115.pdf
- https://cdn.shopify.com/s/files/1/0431/4028/4583/files/careplus_authorization_form.pdf
- https://cdn.shopify.com/s/files/1/0454/2785/1422/files/borges_libros_gratis.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000057bb.bin` `95577839b2b4f298406dffd18f10d825fb3107c357c58bfe243ff765ff3995f0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x57BB	4752 bytes
`font_01_sfnt_off000067fb.bin` `c0fbd242ece87046e4e94032fd871eb1e9b1d47dc655b366b62e717155a7e49e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x67FB	10424 bytes
`font_02_sfnt_off00008b8b.bin` `7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8B8B	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.