PDF malware analysis — malicious · 27da7029ce06c24f

MALICIOUS

PDF

69.2 KB Created: 2020-11-21 04:46:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6b703ab0138f17f6199580b066fe8217 SHA-1: d478e93e37ce22b36f27b9546c3e46bb2a48b51a SHA-256: 27da7029ce06c24f12e2c078dfab2bdec41e95cb8ff691247776c46c0c06e74b

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://traffmen.ru/123?utm_term=hustle+castle+tips+for+beginners'. This indicates the document's primary purpose is to redirect the user to a potentially harmful site. The ML classifier and ClamAV detection further support the malicious nature of this PDF, classifying it as a phishing trojan.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffmen.ru/123?utm_term=hustle+castle+tips+for+beginners
- https://cdn-cms.f-static.net/uploads/4391621/normal_5fa6eb664e5b6.pdf
- https://cdn-cms.f-static.net/uploads/4371814/normal_5f8ce8a5ecdb3.pdf
- https://cdn-cms.f-static.net/uploads/4369901/normal_5f8932a29d48e.pdf
- https://cdn-cms.f-static.net/uploads/4393353/normal_5f9dc8fc46c15.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/cfcadf29-eeea-4fec-abdc-06fc997e781c/73851082782.pdf
- https://uploads.strikinglycdn.com/files/45fd4993-419c-4e11-9bef-660833a9481b/55371395922.pdf
- https://uploads.strikinglycdn.com/files/a2cf8278-3d91-485f-8351-1c6591fd6ad5/70137694387.pdf
- https://uploads.strikinglycdn.com/files/862809e0-ad7c-4f04-8ea2-80f994cb988f/porirebifuwidos.pdf
- https://uploads.strikinglycdn.com/files/929c35b0-2c30-4b95-9410-63de512c1d0c/48859830269.pdf
- https://uploads.strikinglycdn.com/files/464f8bdc-25fb-4115-9d5c-493942153a1c/10271442875.pdf
- https://uploads.strikinglycdn.com/files/82c2aff9-5d1e-4e42-87c4-0ecc306f1d1d/75933121612.pdf
- https://s3.amazonaws.com/bunobu/robert_forster_movie_actor_bio.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d332.bin` `88df0c0d01f7d1bf013e6bc64957934f18cad498fdf98c9defc0603a181a83cf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD332	5284 bytes
`font_01_sfnt_off0000e539.bin` `7b06597909e6a640dd5c5a688d8115e9ce52ec8f5fa571717b5cd637f4bf3aab`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE539	10292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.