PDF malware analysis — malicious · 1927c4ab0fc668cc

MALICIOUS

PDF

54.2 KB Created: 2020-09-18 17:17:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10

MD5: ad8dc36db32193d840a9fe06fbd06d91 SHA-1: b62d7ed98b01e69ad8e12deb893b13cc579dbf39 SHA-256: 1927c4ab0fc668cc34fbf64d7d7a583058466220c79fe0086961bc1c5bd9625d

194 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=film+en+streaming+gratuit+sans+inscription In PDF document text
- http://vilotete.stfcfoodnetwork.org/uploads/1/3/0/7/130775734/wovirimazafa-peramitagur-sofefixowox.pdfIn PDF document text
- http://files.cadblocksdwg.com/uploads/1/3/1/0/131069839/120386ecff9b59b.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://cdn.shopify.com/s/files/1/0431/8828/9696/files/retofogitulag.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0430/9067/3813/files/xojikonivafididufid.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0430/5174/5442/files/39544574092.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0429/5419/5097/files/piwuburokoxibuvole.pdfIn PDF document text
- https://30007a87-6693-4538-8754-16c40d4b16cb.filesusr.com/ugd/003b86_94ca3da38fab4b99b688c63f373b2f32.pdf?index=trueIn PDF document text
- https://9907ad1e-73f5-4ae2-8094-54cd0da2f58b.filesusr.com/ugd/f5892c_9beb873de3f7401b9e8a2b72b469337d.pdf?index=trueIn PDF document text
- https://129113b1-3278-4a07-824e-8e911b5cc55a.filesusr.com/ugd/3ceeb9_d11e84cf4e4e4729bf4f1f12660d59a4.pdf?index=trueIn PDF document text
- https://a406f41e-dedd-4ca2-918a-8c362c68a6e4.filesusr.com/ugd/d13e1f_edb09f54582e4ddeabe99bfb45fc953f.pdf?index=trueIn PDF document text
- https://0f39f38d-4e95-433b-876e-7fef82941e3a.filesusr.com/ugd/9374a7_7756af34045246b7bf2f86d8990d7227.pdf?index=trueIn PDF document text
- https://1c39cea4-b9b4-45af-87d9-e6a405558bc0.filesusr.com/ugd/bf07b1_a3c57d719a0a42eaa4c1bd8cd845a874.pdf?index=trueIn PDF document text
- https://f926a28a-478c-407e-9ebc-17ea670a3da1.filesusr.com/ugd/f9fac6_d6e16f24280b483cbc27546b01a28de2.pdf?index=trueIn PDF document text
- https://394ba002-cfc8-42d9-bbd1-09025bebf855.filesusr.com/ugd/55f640_63dff5e295b1407ca8562d47a7b26d9c.pdf?index=trueIn PDF document text
- https://8347e82f-fc3f-457f-9ac5-1d7e629de248.filesusr.com/ugd/bfbc46_47e6243074824f0f89135cdef76ce442.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000079bc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79BC	5088 bytes
SHA-256: `8795189ac51a6f1f0bf7d8e9f3212e8551703a2f1bece8a4552da4c8514650fe`
`font_01_sfnt_off00008ade.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8ADE	2712 bytes
SHA-256: `d4db78078e2e5a896dc9fd465ab1291990a53dbd64407b89ed3fbc77ef523013`
`font_02_sfnt_off0000966d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x966D	12352 bytes
SHA-256: `e13fb34f156414881abd199922356aac1242b18123c3886393c638b01c11d9fa`
`font_03_sfnt_off0000bd0c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBD0C	4324 bytes
SHA-256: `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`

Open this report in the interactive analyzer, or submit your own file for analysis.