PDF malware analysis — malicious · 63e1fb7a90a7b4ac

MALICIOUS

PDF

40.0 KB Created: 2020-09-17 10:38:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e6fa0e1e5cbc97d58dc8291fde298617 SHA-1: 6922da9eae813d9997a3d5663b7106d7a14713e4 SHA-256: 63e1fb7a90a7b4acf9ae865160cd103e2de27f9b7b746f7e74dbd14d1ce6516c

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one identified as a malicious redirector. The document body, though partially corrupted, suggests a lure related to career guidance ('Fabjob guide to become a life coach'). The presence of a malicious redirector and a large number of external links indicates an attempt to direct users to potentially harmful content or phishing sites.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=fabjob+guide+to+become+a+life+coach
- http://purubu.inspiretkd.com/uploads/1/3/1/6/131606490/9419344.pdf
- http://files.nadialassmanart.com/uploads/1/3/2/8/132815365/328540.pdf
- http://vesiji.piecemakersquiltshop.com/uploads/1/3/1/3/131379256/wujabogeki.pdf
- http://lefumovur.tasha.golf/uploads/1/3/1/8/131856827/begixamurajasinin.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://d516f9d0-144a-4acd-9065-4a7d97fba388.filesusr.com/ugd/7ef0dc_3c216d56dbdf4f2481dd9b499e477fbf.pdf?index=true
- https://14c72064-8bb9-48be-8bbd-936e2405a338.filesusr.com/ugd/aff7ca_6b3ad3ccb7c7453298db97efb8950fa9.pdf?index=true
- https://cdn.shopify.com/s/files/1/0481/5663/9381/files/aicpa_personal_financial_statements_guide.pdf
- https://cdn.shopify.com/s/files/1/0428/1974/8006/files/40075448537.pdf
- https://cdn.shopify.com/s/files/1/0484/7439/0678/files/98789072368.pdf
- https://cdn.shopify.com/s/files/1/0463/4158/7100/files/pogijexu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005db3.bin` `645e00193e33388b7dbed1f4ab495dedd6e45c2965a797b2e5f00e069fb00130`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5DB3	5332 bytes
`font_01_sfnt_off00006fbf.bin` `d5a1fe9009ac189645b5bb07f268d0af0db66c554f1e6ec834e03856de403a48`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6FBF	10520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.