PDF malware analysis — malicious · 675e95be7ccc9da0

MALICIOUS

PDF

43.4 KB Created: 2020-08-24 18:41:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4494b15450eb318adb99e4b62d1dbde3 SHA-1: 4c6ab6fd12bd905b8c427f57530e1538bd841add SHA-256: 675e95be7ccc9da075e8bb4bb436bb387dde8209513a95b06b2063e0485a41f9

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document was flagged by multiple heuristics as malicious, specifically for containing a large number of external links, many of which point to a redirector service. The ML classifier also strongly indicated maliciousness. The primary IOC is the redirector URL, which likely serves as a gateway to malicious content or phishing pages. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=ost+arakawa+under+the+bridge
- http://files.standrewslutherangoldcoast.com/uploads/1/3/0/9/130969356/3827539.pdf
- http://mexebag.neidrya.com/uploads/1/3/1/4/131407057/mitunile-zemij-sutuwagivib-kotenejolufaget.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0433/9440/0414/files/kejidokewog.pdf
- https://cdn.shopify.com/s/files/1/0433/7441/1926/files/85824232530.pdf
- https://cdn.shopify.com/s/files/1/0434/6983/2342/files/rivog.pdf
- https://cdn.shopify.com/s/files/1/0435/4431/4011/files/wow_classic_mage_fast_leveling_guide.pdf
- https://cdn.shopify.com/s/files/1/0435/3330/3976/files/jaduwibeb.pdf
- https://cdn.shopify.com/s/files/1/0430/6875/2023/files/gexamebano.pdf
- https://cdn.shopify.com/s/files/1/0431/3966/1981/files/24255768693.pdf
- https://cdn.shopify.com/s/files/1/0427/6954/7431/files/bomomikivinalubokisamegu.pdf
- https://cdn.shopify.com/s/files/1/0434/0622/9654/files/98434466691.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005f53.bin` `8be19c64597110e650a3df6c129e4a2290065aec1172869fd1214e4e6a90e96a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F53	5376 bytes
`font_01_sfnt_off000071a3.bin` `383abdcd687460911bf3c4a72564990f44febf451a7af1f355f9024a8a42dd46`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71A3	15208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.