PDF malware analysis — malicious · 18440bc7ad7bb55e

MALICIOUS

PDF

42.1 KB Created: 2020-11-01 17:57:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8074c431476a4da74588356594217c5f SHA-1: 27f57f5943157d9c1732e5e83df7e25f6c624c1e SHA-256: 18440bc7ad7bb55e3a4c32bf5c89a8f9a578a57a8a7da9786ea516804e5bc06c

134 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a redirector, which is flagged as malicious. The document body, though heavily obfuscated, contains text related to 'easy frp bypass apk' and the malicious URL. This suggests the document is a lure to trick users into downloading potentially harmful software. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/123?keyword=easy+frp+bypass+apk
- https://cdn-cms.f-static.net/uploads/4387036/normal_5f8e2088dba06.pdf
- https://cdn-cms.f-static.net/uploads/4378855/normal_5f9bd63e22303.pdf
- https://cdn-cms.f-static.net/uploads/4377098/normal_5f8d6daba6bd5.pdf
- https://cdn-cms.f-static.net/uploads/4369503/normal_5f8ac7e946f88.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/6b4a7624-50e4-403f-9b1d-7e425913750f/kojafewezitexisasewig.pdf
- https://uploads.strikinglycdn.com/files/320fcb5d-8652-43b5-b389-6dcd8d83a1de/47591580973.pdf
- https://uploads.strikinglycdn.com/files/521b84d7-daf3-435f-bcec-ad00fa2076aa/jazokimitu.pdf
- https://uploads.strikinglycdn.com/files/317e0684-92c5-423e-9237-a0896668aabc/54099598611.pdf
- https://uploads.strikinglycdn.com/files/9eb77def-0f00-455d-a167-586c557cef77/69833278486.pdf
- https://uploads.strikinglycdn.com/files/ca19cdbf-15d2-41d1-84e7-a93975eef795/halo_books_free_download.pdf
- https://uploads.strikinglycdn.com/files/71e7fef9-d808-4211-bcb5-4e24ff78ff13/jizoditu.pdf
- https://uploads.strikinglycdn.com/files/2b53e63d-7c10-4ca7-b430-59a5551a46ff/dafapitanaseleti.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000640f.bin` `cc03029a544776f56483e01597e132031f2ba12aee992f276ee0676c0b840109`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x640F	5128 bytes
`font_01_sfnt_off0000759c.bin` `b102b1cbbcc8fc1d92a049d12b1c525368a81312f89f0a95adc4f172ea53dda6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x759C	11400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.