PDF malware analysis — malicious · 1449476b4bfe0a9a

MALICIOUS

PDF

33.5 KB Created: 2020-08-28 17:17:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1d00b22ff15e3a0cd157f600f549b80a SHA-1: d55a92bf5bf16911410816e77bdb7cc567aa5065 SHA-256: 1449476b4bfe0a9a0990384a630c6778ce16d5b1d83f9ac4efd4b114da62e6dc

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded links, characteristic of a link farm. One of these links, 'https://ttraff.com/pify?keyword=els+yds+kitab%25C4%25B1', is identified as a malicious redirector. The presence of this malicious link and the overall structure suggest an attempt to lure users to malicious content, likely as part of a phishing or scam campaign. No scripts were extracted, but the PDF structure itself is indicative of malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=els+yds+kitab%25C4%25B1
- http://lagudi.inspirednourishment.ca/uploads/1/3/0/8/130814868/3727019.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0436/0955/5107/files/maxade.pdf
- https://cdn.shopify.com/s/files/1/0436/2734/8121/files/abu_shuja_abu_waqar_books.pdf
- https://cdn.shopify.com/s/files/1/0431/6259/9585/files/ambiguous_genitalia_approach.pdf
- https://cdn.shopify.com/s/files/1/0429/4384/0412/files/76241586647.pdf
- https://cdn.shopify.com/s/files/1/0433/4587/1001/files/kunozozanifulo.pdf
- https://cdn.shopify.com/s/files/1/0429/1444/7519/files/wevomobumof.pdf
- https://cdn.shopify.com/s/files/1/0429/9092/8026/files/bulizowivevabadiwuzewu.pdf
- https://cdn.shopify.com/s/files/1/0435/8530/6782/files/8519500150.pdf
- https://cdn.shopify.com/s/files/1/0432/5657/8206/files/hk_caws_3d_model.pdf
- https://cdn.shopify.com/s/files/1/0436/7836/7897/files/watermark_mac.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004536.bin` `b874a497dee9922d42a9d9412e19a8e895cc9ec29d1d33e043f789b90c7a5dda`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4536	5020 bytes
`font_01_sfnt_off00005666.bin` `4f96cc36de0a104a8c5a5f8101b523f110c9898f48df603b06b002930f61e8db`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5666	9988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.