PDF malware analysis — malicious · 13818801c231b53f

MALICIOUS

PDF

409.5 KB Created: 2020-09-03 01:16:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: eb5d7801a43b8b6722797b5d2f77010e SHA-1: 3cd91d9b5414db119ffdd852961a2e2aca6f15b8 SHA-256: 13818801c231b53fa1d4d542df40faee96dfccf3c073168c937d5ac51d564efd

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, which is a common tactic for phishing and malware distribution. The document body, though heavily obfuscated, contains text related to 'canciones de la iglesia catolica letra pdf' and the malicious URL, suggesting a lure to trick users into clicking the link. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=canciones+de+la+iglesia+catolica+letra+pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/a43ec6_fb04e2f4e7294c5a86be2dcae3ec114f.pdf
- https://static.usrfiles.com/ugd/9757e7_49e39e114e5843be976eb8e1220b6217.pdf
- https://static.usrfiles.com/ugd/b8c837_992ee16689ec42778a78798ee7fe50aa.pdf
- https://static.usrfiles.com/ugd/b8c837_44c12939e27449dca1e76783b80fd58e.pdf
- https://static.usrfiles.com/ugd/33a16d_aab0017fb0754e1ab8857426e57d21ce.pdf
- https://static.usrfiles.com/ugd/0779a3_bde19908464745db81e1c43b45b13744.pdf
- https://static.usrfiles.com/ugd/6cf392_3f388b4553974ef98d8203dec4a514af.pdf
- https://static.usrfiles.com/ugd/78c764_d0f68a6c49ef4b52993a1e7c618283e4.pdf
- https://static.usrfiles.com/ugd/2c608b_c1a307603e16420387920f8e12ae3455.pdf
- https://static.usrfiles.com/ugd/e32576_ca7b05eb9d3c44a9ad6a4cf1e7e107be.pdf
- https://static.usrfiles.com/ugd/1b7c00_5ac8573d7a284b3c88ffeeecf699f5d8.pdf
- https://static.usrfiles.com/ugd/110ef3_79db010d65f84076b86d5c1aacac2465.pdf
- https://static.usrfiles.com/ugd/6cfc61_84a3d3e7a7d44ee3bafed90e1779acc8.pdf
- https://static.usrfiles.com/ugd/625844_a84c3ce11b1747b58a761cd23adbf4c4.pdf
- https://static.usrfiles.com/ugd/0a593f_a1a94cd7caae41e698799bad8aee4a2b.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000610c6.bin` `f4cb18bd36303edb9a007cf5009c366e648cf375762c3f7ac3eb392d8cd8457e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x610C6	5228 bytes
`font_01_sfnt_off00062297.bin` `570a7e36b5681342ccfdfc04caa66cb41733541acdff66358c446182afae597a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x62297	17148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.