PDF malware analysis — malicious · 391aecee768708b3

MALICIOUS

PDF

91.7 KB Created: 2020-11-21 13:13:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 014b6d09f57ff5601d9c36f1804b86d4 SHA-1: 4da032c0b65aa3a903e0e05bc72ab7126aacd1e0 SHA-256: 391aecee768708b387911685ebc68f6332df529b11b8892bc0d2432e71358016

174 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing a link to a known malicious redirector, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic and ClamAV detection. The ML classifier also flagged the PDF with high confidence. While the document body is heavily obfuscated, the presence of a malicious URL strongly suggests a phishing or malware distribution attempt, likely delivered as a spearphishing attachment.

Machine Learning

Nyx PDF Classifier malicious score 0.9944

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
QR-code redirect lure medium SE_QR_LURE

Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/123?utm_term=nielsen+grocery+family+plan
- https://cdn-cms.f-static.net/uploads/4372074/normal_5fa08b7f00641.pdf
- https://cdn-cms.f-static.net/uploads/4420756/normal_5f9d03236ffa2.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/liguwubore/dedorusejig.pdf
- https://uploads.strikinglycdn.com/files/515cb5b0-7f6c-465c-a75d-8ea291ab7031/14899636386.pdf
- https://s3.amazonaws.com/nefagolom/megaman_3d_print.pdf
- https://uploads.strikinglycdn.com/files/2affedb5-ceaa-4c99-a499-e370539127b0/4272581840.pdf
- https://uploads.strikinglycdn.com/files/0242d950-5412-4628-b8d0-652f1c7117c0/kulefujuzebilejirid.pdf
- https://s3.amazonaws.com/vezosoluvezoj/profile_arctica_refrigerator_manual.pdf
- https://s3.amazonaws.com/zirojopemup/nosavadogufirepozukavome.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000105a7.bin` `2982b4a539b70e0f18aa600a83eff3a27f5f5387f8d3616544b72f39419d9192`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x105A7	11020 bytes
`font_01_sfnt_off00012a33.bin` `e4b772bc38de58ed0e1e126cc7eb4d27e305c8de4fc4726d0e327821b002fa45`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12A33	5408 bytes
`font_02_sfnt_off00013c9d.bin` `2e896a30f49b8de11aaae330e8eb99ff8ab47c97a7f3e458f77a479bba904793`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13C9D	11072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.