PDF malware analysis — malicious · 6a1a26c2fc7fa631

MALICIOUS

PDF

34.9 KB Created: 2020-08-30 01:45:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b47d53d13bf9f261a50913b55edac4f4 SHA-1: c8da144ef65d32145cd430609936e94c93f28367 SHA-256: 6a1a26c2fc7fa631f72961af6584261172170b0c134094af26e00002dd0f0ea8

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document contains a large number of embedded links, many of which point to a link farm designed for SEO manipulation. One of the primary links directs to a known malicious redirector. The document body, though heavily obfuscated, contains references to a Samsung charger and a large number of URLs, suggesting a phishing or scam attempt.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=samsung+sgh+1497+charger
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0446/9476/5724/files/myers_briggs_career_test.pdf
- https://cdn.shopify.com/s/files/1/0432/8561/0654/files/dolalo.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nunirisolifugonogebivaxez.pdf
- https://cdn.shopify.com/s/files/1/0432/9766/9278/files/44838109303.pdf
- https://static.usrfiles.com/ugd/9219f8_4f276260bea94bb4a2a0059b905f77f5.pdf
- https://static.usrfiles.com/ugd/7e0eb0_d956e1ef3a6644929b5e37dc393c2a55.pdf
- https://static.usrfiles.com/ugd/9ff9b8_f635afac875a438e96f5d1ef6062f21c.pdf
- https://static.usrfiles.com/ugd/b8c837_74fd65b3cb494688acfec541c3497e36.pdf
- https://static.usrfiles.com/ugd/7ff653_e45e6575e33b4f2d9cd061651f3c66c7.pdf
- https://static.usrfiles.com/ugd/97368a_44ea00f3621a4a0589f455eda669d352.pdf
- https://static.usrfiles.com/ugd/09273f_6ca1dddffe9f426db3f041de59c9624d.pdf
- https://static.usrfiles.com/ugd/b8c837_54bb0d4cb75b45e58bc45931811bdcb7.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000047d8.bin` `dd91229c2fcd0d7e495445ccab1f46d6e7f6ff33db04ed5b0b3f9eecf33d377b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x47D8	5660 bytes
`font_01_sfnt_off00005af3.bin` `171893e41870718ab34140ece726ea308ef75422635a134eb6107140cc41f0fd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5AF3	10596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.