PDF malware analysis — malicious · 61162e8d83ffc855

MALICIOUS

PDF

42.0 KB Created: 2020-09-08 09:59:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9b667741fee85839b2344e3cf75ffdde SHA-1: 0488b6a1e3f9271f8bf529b9465f36c0fa84d6af SHA-256: 61162e8d83ffc855a7d3af76874b679ca27f493e91283e647ffa46d30641ac5f

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'final fantasy xiv cross class guide', likely a lure to entice users to click the malicious links. The presence of a malicious redirector and a large number of external links suggests an attempt to drive traffic to potentially harmful sites.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=final+fantasy+xiv+cross+class+guide
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_8f1f618e6c904aec847d31fb882448f7.pdf
- https://static.usrfiles.com/ugd/cb4a18_4d0009b2f7d246e8be9568efe0cc6fa2.pdf
- https://static.usrfiles.com/ugd/89c6ad_86536b2945c84911bbecc4a24df76c81.pdf
- https://static.usrfiles.com/ugd/89c6ad_da6c489b86c94f16a1112429c04122ee.pdf
- https://static.usrfiles.com/ugd/79e0dc_ba9a851f114d47058474699438855ddf.pdf
- https://static.usrfiles.com/ugd/b8c837_d2cebcae217b434ea6de0aeef9b1e0b3.pdf
- https://static.usrfiles.com/ugd/c068f8_b5a41b8edb174e6996bf093fb8ae0dbc.pdf
- https://static.usrfiles.com/ugd/d2751c_c7903a697ec540729e8231e26b8b608d.pdf
- https://static.usrfiles.com/ugd/b8c837_c9e55e4022a0413fa662276bc3f6391d.pdf
- https://cdn.shopify.com/s/files/1/0437/0602/4101/files/31865277641.pdf
- https://cdn.shopify.com/s/files/1/0432/8056/4392/files/42038767320.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000663d.bin` `91cfa523b9c885607578e9627273c84750f15538e43b0fec99d37a93e5387cef`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x663D	5372 bytes
`font_01_sfnt_off000078ac.bin` `cca89f9faa76cb8f54b6d3734ab80e32d081941aea4b1b79930a327469f72953`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78AC	10388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.