PDF malware analysis — malicious · 3a61e107e4948477

MALICIOUS

PDF

66.1 KB Created: 2020-12-13 22:09:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14

MD5: c92b9d8ccfc2aad8363ba6923b4f2d4d SHA-1: 3297204e4f933bdd2130f948771368e5b5e4f355 SHA-256: 3a61e107e494847724a9fb63dab391a4314ba6cb0fa115a0023043631be63cd2

202 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple heuristics indicating it is a malicious redirector, specifically designed to lure users with a fake download button. The primary malicious URL, 'https://traffking.ru/aws?utm_term=webcam+companion+4+activation+code+free', is flagged as a known malicious redirector. The ML classifier also strongly indicated maliciousness. While no scripts were explicitly extracted, the PDF structure and embedded links suggest an attempt to deliver a second-stage payload or phish credentials.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffking.ru/aws?utm_term=webcam+companion+4+activation+code+free In PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://s3.amazonaws.com/lorifumofelu/bedekivenejotib.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3a7a213b-1d85-4e88-b17c-4590944d82d9/gender_roles_in_ancient_greece.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc0d6092e537a05ef08bc6e/t/5fc66b1461e25426e11461b6/1606839062706/91270347552.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9cccb457-6b71-4e19-bfd9-900212b1297f/gilson_rototiller_parts_diagram.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc59ab6084698658e7e4eec/t/5fc61745cb3e0f5771203c36/1606817606002/panda_population_in_china.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d06881bb-831d-4156-a063-a49d0c6877b8/3111086337.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b5f0edef-2e8e-4f0c-958c-1463a9cbf489/my_dog_has_big_nipples_but_not_pregn.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc562607848ba205d36ad9a/t/5fc5f1d8fa04221c71ed44a8/1606808025057/35349509204.pdfIn PDF document text
- https://s3.amazonaws.com/bubodeliza/good_games_unblocked.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cb5ee739-bdcd-450a-8224-89fd3c55a951/8923354403.pdfIn PDF document text
- https://s3.amazonaws.com/fizufapu/cursive_writing_letter_i_worksheet.pdfIn PDF document text
- https://s3.amazonaws.com/diwitapezu/pogogojeribe.pdfIn PDF document text
- https://s3.amazonaws.com/wiwuxot/favorites_list_template.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f6c02da9-4bdb-4a65-a9a3-767d75c5c30f/kixowenipufuwugopone.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b736.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB736	5180 bytes
SHA-256: `1ef94474bb58cc06ba9dca263b9beb894bb177700a34370ecf9d547a3e739a77`
`font_01_sfnt_off0000c8cb.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC8CB	10656 bytes
SHA-256: `1e69e51595866f5e8e5465b3a8744eefac6a9848725255552c9d2144f464b5d4`
`font_02_sfnt_off0000ed2c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xED2C	4324 bytes
SHA-256: `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`

Open this report in the interactive analyzer, or submit your own file for analysis.