PDF malware analysis — malicious · 3422cc0ada83afdb

MALICIOUS

PDF

73.7 KB Created: 2020-08-22 13:04:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: cf529a4674bf2f82e56e7a9ed603a1bc SHA-1: 391655c8a8f5b914c8648b2ad9e4b83ccf20b757 SHA-256: 3422cc0ada83afdb8000e702bb5db394524345d9038e6a18f20da6eab5493305

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, with at least one identified as a malicious redirector. The ML classifier also strongly indicated maliciousness. The document body is heavily obfuscated but contains URLs that are likely part of a link farm or SEO spam campaign, potentially leading to malicious content or phishing pages.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=metallica+s%2526+m2
- http://files.mrsargus.com/uploads/1/3/2/6/132695194/d69b9a6d.pdf
- http://files.holistic-solutions.co.uk/uploads/1/3/1/4/131406518/kitajosotu-wavotos.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0435/8524/1256/files/arch_and_buttress_dam.pdf
- https://cdn.shopify.com/s/files/1/0434/3191/9783/files/arch_components_android.pdf
- https://cdn.shopify.com/s/files/1/0431/6617/1285/files/allegory_of_the_cave_story.pdf
- https://cdn.shopify.com/s/files/1/0434/5964/1496/files/77109189118.pdf
- https://cdn.shopify.com/s/files/1/0430/8733/1481/files/vocabulary_words_for_ielts_writing_task_2.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/78491346320.pdf
- https://cdn.shopify.com/s/files/1/0433/1926/3397/files/visimuguze.pdf
- https://cdn.shopify.com/s/files/1/0435/4487/1063/files/ritunupisiz.pdf
- https://cdn.shopify.com/s/files/1/0447/7698/0629/files/left_navigation_menu_bootstrap_4_template.pdf
- https://cdn.shopify.com/s/files/1/0437/1854/1480/files/modern_apartment_floor_plans.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000da9a.bin` `6a84ca2160b9471e1c3b111d1630fe797afd5e5e7b4dc84ddc4d3f0cd83f49ef`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDA9A	4704 bytes
`font_01_sfnt_off0000eaae.bin` `4d897955f75cecc0ba9245ea71259061efbca65faca81295ff41a7e19f11dabb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEAAE	15672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.