PDF malware analysis — malicious · 660857f49b19f2d7

MALICIOUS

PDF

109.9 KB Created: 2020-09-07 12:15:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7db8522f524a16891049bc0197ecf44c SHA-1: 71ba535136147fffac86899a43ab2cae202a8752 SHA-256: 660857f49b19f2d792c55cc940390b23de1ac6cca011284619a19e3dcd1689ac

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by a machine learning classifier and contains a link to a known malicious redirector. The document body, though heavily obfuscated, appears to contain the same redirector URL. The presence of a large number of external links, many pointing to PDF files hosted on content delivery networks, suggests a link farm or SEO poisoning attempt to drive traffic to malicious sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9952

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=amharic+bible+apps
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102Hussain
- http://smc.org.inhttp://smc.org.in
- http://www.opentle.org
- http://fedorahosted.org/lohit
- https://static.usrfiles.com/ugd/c5d40f_5b15e81a65ef412596d001d45ff17009.pdf
- https://static.usrfiles.com/ugd/83b1b3_5aca5f0a78cb4ed4b95e8e9f8cd18adb.pdf
- https://static.usrfiles.com/ugd/6a7407_12777f01aef945e6bae32497129537a7.pdf
- https://cdn.shopify.com/s/files/1/0430/4578/1665/files/28751799068.pdf
- https://cdn.shopify.com/s/files/1/0440/2728/1558/files/69568174915.pdf
- https://cdn.shopify.com/s/files/1/0432/7315/8806/files/48078457317.pdf
- https://cdn.shopify.com/s/files/1/0438/8909/8907/files/87323231883.pdf
- https://cdn.shopify.com/s/files/1/0434/1789/5070/files/23818544707.pdf
- https://cdn.shopify.com/s/files/1/0433/8358/6977/files/xidexevefin.pdf
- https://cdn.shopify.com/s/files/1/0435/8628/9832/files/vobofogubelelasugokasip.pdf
- https://cdn.shopify.com/s/files/1/0434/7346/9597/files/rufezowubuwowinuwejezi.pdf
- https://cdn.shopify.com/s/files/1/0437/9751/2354/files/fesatuditemenijafif.pdf
- https://cdn.shopify.com/s/files/1/0435/1308/6106/files/kafufujilop.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://savannah.gnu.org/projects/freefont/
- http://www.gnu.org/licenses/
- http://www.gnu.org/copyleft/gpl.html
- http://scripts.sil.org/OFL
- http://www.geocities.com/mitra_anirban/hobbies.htmGNU
- http://www.gnu.org/copyleft/gpl.htmRegular
- https://gitlab.com/smc/meera/blob/master/COPYING
- http://www.gnu.org/licenses/gpl.html
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 10

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006f1c.bin` `f01b132fd2f3280667e7a7b9ccdbdbf4119854882711187f84773ef16a2168e4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6F1C	35248 bytes
`font_01_sfnt_off0000c9db.bin` `5488a9725e6a3964a82e237fdaef9e0e5e88520fa324084eeff55287d494a95d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC9DB	8864 bytes
`font_02_sfnt_off0000e766.bin` `ed3e4d6ed76293523076e19730542b1e16763cbe87d63602f2bcadff101d0e12`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE766	5300 bytes
`font_03_sfnt_off0000f936.bin` `8e8f0ec7c7acd1fc92f400fed707155fc0019638d12e208b59ce78c88937276b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF936	5484 bytes
`font_04_sfnt_off00010ae0.bin` `400e9459b65bcad856e5ff29fbda71613279c30c7e908cb272bf4994262b79dd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10AE0	4896 bytes
`font_05_sfnt_off00011cc6.bin` `5b2d243175c94293226ae8081ef5ac76da71c59e039deb793623324a5bfd9500`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11CC6	4376 bytes
`font_06_sfnt_off0001289c.bin` `8c928ad25389fc95058fcda99cb62d63eb50ff0d7de7f6c62b6443990591946e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1289C	9116 bytes
`font_07_sfnt_off00014207.bin` `707a87fd50f73795b773b9017cfe24e91f26b5383e13b95025ebf540a6ffc916`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14207	17460 bytes
`font_08_sfnt_off000175fb.bin` `23433f2eba693e2bf0ab3926a6f5cd1d5c5260708b07b9749f635e2cafd70589`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x175FB	19604 bytes
`font_09_sfnt_off00019611.bin` `216dae46cfe6cc1c49c49f17f0b10bf089cccf87cfd9cecfb86d4a7a13efc65e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19611	4776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.