PDF malware analysis — malicious · 663393d0513927d0

MALICIOUS

PDF

34.8 KB Created: 2020-08-29 21:54:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 51dc3070f39aba7a9cdd6453573691b4 SHA-1: 3bdd194126a4add96d5b5ee88f298a1dfca334d7 SHA-256: 663393d0513927d0ce16442e732b6346a6f6a663cee398a36d4d7dcba4c277fd

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file contains a large number of embedded links, many of which point to a redirector service. The document body, though heavily obfuscated, contains text that appears to be a lure for a "1999 dodge dakota owners manual pdf". The primary malicious URL, ttraff.ru, is flagged as a known malicious redirector, indicating an attempt to lead users to harmful content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=1999+dodge+dakota+owners+manual+pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_7c8334de11cb427abfe117f3087708ba.pdf
- https://static.usrfiles.com/ugd/b8c837_1b0978d96f8c45b39f765347f84a02ea.pdf
- https://static.usrfiles.com/ugd/b8c837_ddcf71396a3c463a99180d85e72960ff.pdf
- https://static.usrfiles.com/ugd/b8c837_67e7acd4ca64447d8afb699521dc813a.pdf
- https://static.usrfiles.com/ugd/b8c837_cd88563f223d423da11e85112da10e85.pdf
- https://static.usrfiles.com/ugd/f515ca_4806f54b40814897a904e87d13ae2920.pdf
- https://static.usrfiles.com/ugd/0286dd_af76705023e340d185335dd925ae70ae.pdf
- https://static.usrfiles.com/ugd/b8c837_eb4fea33ec3547b69151513ee97c5c2e.pdf
- https://static.usrfiles.com/ugd/b8c837_892d3fbbb69d41a09f1340ce68271130.pdf
- https://static.usrfiles.com/ugd/b8c837_a49289018dd84a7f88afcfbded0bdc9e.pdf
- https://static.usrfiles.com/ugd/b8c837_9f8ed2b1abe54ebb89ad6e7405b5138e.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000495e.bin` `95e41c80758ced5ebb6a695e6519a83bfee05ef38c37d6df3ca08f3c39d3bfd0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x495E	5632 bytes
`font_01_sfnt_off00005c8a.bin` `0259c47a5299f49465399051c30ef796b27801de99335560e7cae2eff650370b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5C8A	9960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.