PDF malware analysis — malicious · 17494740addb4ec0

MALICIOUS

PDF

35.1 KB Created: 2020-08-30 00:57:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 72836436b302634ea25770ce82ba3803 SHA-1: c7760f1b670ebc89341cf64fd7835dfea0c6921b SHA-256: 17494740addb4ec03f9eb901f1d0391d95b775404a9c76cf18a333d07dc9e297

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links that redirect to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains a URL that appears to be a lure for a free download. The ML classifier also strongly flagged this PDF as malicious. The presence of numerous external PDF links suggests a link farm or SEO poisoning attempt.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=j+cole+no+role+modelz+free+download
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_f98fac90fa214322abfe941517a167fb.pdf
- https://static.usrfiles.com/ugd/a107db_7ba909a646854779854c04ba40149308.pdf
- https://static.usrfiles.com/ugd/b8c837_bf36f6b73d654dffb9ad9e1c2509dd58.pdf
- https://static.usrfiles.com/ugd/4ae4db_3328dad468bc4b2dae1d4a1d61054e38.pdf
- https://static.usrfiles.com/ugd/a2d007_16d57904d9074e67b15d8fce03e497b6.pdf
- https://static.usrfiles.com/ugd/8127dd_ca141b1a706447f2a4ad985d374996ec.pdf
- https://cdn.shopify.com/s/files/1/0431/5031/1579/files/fedaturejip.pdf
- https://cdn.shopify.com/s/files/1/0438/5928/0022/files/limonufokegukelefoz.pdf
- https://static.usrfiles.com/ugd/b8c837_9bfcf491c6424eec8c21ff4818667c3d.pdf
- https://static.usrfiles.com/ugd/b8c837_20ef6ccba5964ecfb694e2da3c44c52b.pdf
- https://static.usrfiles.com/ugd/b8c837_6e09bd7a86944a7c8b3a8e7710a3ed70.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004c40.bin` `d1f451c57018cd7152c52dff1592bce63e89a24990376e3334ff98f24339b007`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4C40	5120 bytes
`font_01_sfnt_off00005da4.bin` `1fee54357ff41f641c1d44c8f73a04a4bae9340a7dc7387422eee08eca92ab9b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5DA4	10024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.