PDF malware analysis — malicious · 0cf3d6a36225f81f

MALICIOUS

PDF

65.0 KB Created: 2020-10-17 10:04:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23

MD5: b8ec67a289b737f2d3a5eef4dbfe4685 SHA-1: f0a27741f6bd5db0125baf72768ff423dbe7837b SHA-256: 0cf3d6a36225f81ffbb8911129fc148d46e226773414f081b9c6245d1b73020e

184 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the one identified by the redirector heuristic. The presence of a link farm and a malicious redirector suggests an attempt to direct users to a malicious site, likely for phishing or malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/123?keyword=planted+aquarium+guide+pdf In PDF document text
- https://tenagudewujuga.weebly.com/uploads/1/3/1/1/131164273/99b44ff8228bfeb.pdfIn PDF document text
- https://towetebofipu.weebly.com/uploads/1/3/1/4/131437669/kikudedoji.pdfIn PDF document text
- https://jarapitoxedomel.weebly.com/uploads/1/3/1/4/131437170/vodupuvij-poraxesi.pdfIn PDF document text
- https://saxexowiki.weebly.com/uploads/1/3/0/9/130969873/7991580.pdfIn PDF document text
- https://mapipuluzobeb.weebly.com/uploads/1/3/1/3/131398440/kerubir.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4375210/normal_5f8a952190a2e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374366/normal_5f8a83d09d20a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366033/normal_5f8777bc71790.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/c04fc417-535f-4218-90a4-ace1a242dcb2/tibeda.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/00770e63-2864-4000-b7ab-bffb5876b29f/fujimedafotosoz.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2613ed26-d24a-4fb7-842d-6a47385900f6/fodin.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/66b60349-3497-4daf-99fa-1545c4297f5a/50868599753.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3ad09211-345e-467e-8522-f1a49676b30b/kejajejefobe.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0497/2609/5540/files/57095094420.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0433/7300/2906/files/91843104390.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0437/8987/7405/files/ap_statistics_test_9a_answer_key.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0437/0956/3029/files/9mm_taurus_pt111_g2_guide_rod_laser.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0494/7276/6119/files/39607313635.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e98e5d53-5c1b-49cd-b855-4050e3503b58/74872369217.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/45cb4dc8-99fd-4ff2-a019-64c5ade6d98e/86335937634.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/203db484-c763-4b37-ba44-f6a7683f3716/segaribaxapom.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c221.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC221	5308 bytes
SHA-256: `505053a4b7b91f202d83c1b7830c286ce3d7a9352e3889672a0c51b7c4785383`
`font_01_sfnt_off0000d40d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD40D	10252 bytes
SHA-256: `9863d0e132d2731de0b037dc1d92c44bf42c72ecc1cb740529789b4382a7a0f9`

Open this report in the interactive analyzer, or submit your own file for analysis.