PDF malware analysis — malicious · 53abda06f08d1dc2

MALICIOUS

PDF

44.1 KB Created: 2020-10-29 11:35:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14

MD5: a70410d4799ebdcfb910e0c0ae6a896c SHA-1: 945f89eff16bb1bdf33d2f4bb51a92044db2f2a5 SHA-256: 53abda06f08d1dc237a452d875ba53bed9b12b105baa2d109d8143eaccb6f78a

184 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many pointing to disposable hosting, and one critical link to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ggtraff.ru/strik?keyword=royal+doulton+china+value+guide', suggesting a lure to a malicious site. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ggtraff.ru/strik?keyword=royal+doulton+china+value+guide In PDF document text
- https://cdn-cms.f-static.net/uploads/4368474/normal_5f994aaa599c3.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4389604/normal_5f973cf13e9fd.pdfIn PDF document text
- https://xezinazilasiza.weebly.com/uploads/1/3/4/3/134319357/2130304.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374963/normal_5f897fbbad5d4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366388/normal_5f8dc428d43e6.pdfIn PDF document text
- https://naxizugopigonav.weebly.com/uploads/1/3/1/4/131408516/8cea94.pdfIn PDF document text
- https://ranerenonosojib.weebly.com/uploads/1/3/1/4/131483420/2331285.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4368243/normal_5f9729ca903d4.pdfIn PDF document text
- https://bepagiji.weebly.com/uploads/1/3/4/3/134352373/1931881.pdfIn PDF document text
- https://jarapitoxedomel.weebly.com/uploads/1/3/1/4/131437170/wegowoz_wujewaxepafid_xevizuxo.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4385412/normal_5f9203e85744e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374519/normal_5f8dfca2d8b7b.pdfIn PDF document text
- https://lugoponogib.weebly.com/uploads/1/3/4/4/134404253/vesilugure.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/99f18e17-37b2-45cb-bf17-ed3955ef56c1/los_demonios_del_eden_ensayo.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0496/4660/0341/files/gifexa.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0500/9270/3915/files/72704412586.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b5a357ba-8a38-43d6-8307-9cee67ef19a6/nidotevozofadoxaxeler.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0484/7511/1586/files/wuwiwesitinewevufe.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0439/0758/0072/files/zuwodalobalukup.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0492/3473/9356/files/14916888773.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006e4f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6E4F	5096 bytes
SHA-256: `cd33390a01cec5e026eafc96104c01e35e3f5766b37c5b6e04070d3d3707b197`
`font_01_sfnt_off00007fbb.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7FBB	10320 bytes
SHA-256: `24db6fd29f45c12d7ba363b57c587ac5900294f11f9935fa72810af32b32efe3`

Open this report in the interactive analyzer, or submit your own file for analysis.