PDF malware analysis — malicious · 5e5392940527be46

MALICIOUS

PDF

43.3 KB Created: 2020-08-17 09:27:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 35945fddf7907346282e888549c2a23f SHA-1: 761f4f39b9fa87fcf0171e63a88ee52b730a1031 SHA-256: 5e5392940527be4652360c13646b2ab47ab9c896e1f99acef06ac81e50ca1d58

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains a URL that appears to be a lure for a 'determiners worksheet for class 9'. The PDF also contains a link farm pointing to numerous PDFs, suggesting a SEO-based distribution tactic. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=determiners+worksheet+for+class+9
- http://getota.cameliascandles.com/uploads/1/3/2/7/132740900/wokajukusax_muwotukafaku_movumenuw.pdf
- http://files.isakpronepal.org/uploads/1/3/0/7/130738850/jenusaxofixapu-banole-wepene-xofewafijut.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0435/1541/2632/files/64467419914.pdf
- https://cdn.shopify.com/s/files/1/0431/2491/6388/files/1564277312.pdf
- https://cdn.shopify.com/s/files/1/0434/7192/9496/files/komajimo.pdf
- https://cdn.shopify.com/s/files/1/0431/2937/2821/files/wolitilafemivudoluzepipul.pdf
- https://cdn.shopify.com/s/files/1/0438/6743/9264/files/kekiruzixowofopepa.pdf
- https://cdn.shopify.com/s/files/1/0435/7983/4531/files/bhagavatam_in_english.pdf
- https://cdn.shopify.com/s/files/1/0430/6377/1293/files/nalajotikiwawuzevumuloda.pdf
- https://cdn.shopify.com/s/files/1/0430/5590/6973/files/audacity_for_android_mobile.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006b23.bin` `e2ed2d0d03766714c5f62d3d89f9c707e9ca62f0a9fb3c5d042995cddf65a285`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B23	5432 bytes
`font_01_sfnt_off00007d83.bin` `e8682180dd21f965203569666758888608ec14f2bdf9646fc4d694c595f6bb2d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D83	10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.