PDF malware analysis — malicious · 62bd409e17e7da75

MALICIOUS

PDF

52.0 KB Created: 2020-08-30 07:55:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1633e4ee9b9e8d2f64c4c1eae5d779b1 SHA-1: 288a5f6e0889e7f667ce7aa8f130ccb151e5acf3 SHA-256: 62bd409e17e7da751c64ab4e4c1ae662bba7f21fb295a904d68082f25d4ce5e6

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links, one of which points to a known malicious redirector infrastructure. The document body, though heavily obfuscated, appears to contain the same URL, suggesting a lure to a malicious site. The presence of numerous other PDF links, many pointing to Shopify, indicates a potential link farm or SEO manipulation tactic to distribute malicious content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=harry+potter+lego+years+5+7+walkthro
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0436/7836/7897/files/list_of_south_african_apartheid_laws.pdf
- https://cdn.shopify.com/s/files/1/0430/3519/7602/files/runapatexivikelupan.pdf
- https://cdn.shopify.com/s/files/1/0434/9512/9254/files/14079151281.pdf
- https://static.usrfiles.com/ugd/362633_d5e6ef5e48e44cfd8fb028548345584d.pdf
- https://static.usrfiles.com/ugd/98e298_2be920e28717423fa0ce8fd2b713fdb1.pdf
- https://cdn.shopify.com/s/files/1/0461/9485/1998/files/music_to_iphone_xr.pdf
- https://cdn.shopify.com/s/files/1/0427/9864/5404/files/mazanofun.pdf
- https://cdn.shopify.com/s/files/1/0457/8816/8358/files/a44_1_inadmissibility_report.pdf
- https://cdn.shopify.com/s/files/1/0434/6295/1062/files/budgeting_and_forecasting_interview_questions_and_answers.pdf
- https://static.usrfiles.com/ugd/696b8a_ce551ae2047f4c30bb36f5ce36aa50b9.pdf
- https://static.usrfiles.com/ugd/4b874d_90d3a713b0ad4dbeb5c5afed4edc8aea.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008acb.bin` `5123702a94c83f76631d6d5eebdd23e8c31d1c803e3f823082c7d4fc7376a1f1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8ACB	5504 bytes
`font_01_sfnt_off00009da4.bin` `eb260430e5c4432de9ac814b13683d547db3ef552c4f5e224f6894dccc797dd1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9DA4	11320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.