PDF malware analysis — malicious · 6db2635d984e54ab

MALICIOUS

PDF

39.8 KB Created: 2020-08-17 01:56:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0a89c710af8d422fcd63046fb99c64ef SHA-1: 87420cf5605f180c6757bbef919a36ef6fdf1c8c SHA-256: 6db2635d984e54abbba0d034bc8f4fcd97885fe7853a7cd06d55b8b3dd179cba

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm and a direct link to a known malicious redirector, disguised as a free song download. The ML classifier strongly indicated maliciousness. The document body, though heavily obfuscated, contains the malicious URL and text suggesting a lure. The embedded links likely lead to further malicious content or phishing pages.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=latest+afrikaans+songs+free
- http://sutov.govipgolfcarts.com/uploads/1/3/1/4/131452841/d31d8.pdf
- http://files.washingtonfirstumc.com/uploads/1/3/2/6/132682167/4325865.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0433/9014/0581/files/network_security_administrator_roles_and_responsibilities.pdf
- https://cdn.shopify.com/s/files/1/0430/3598/4029/files/gegozidajepobexizeb.pdf
- https://cdn.shopify.com/s/files/1/0433/6081/3208/files/xotikaseribijikaxulag.pdf
- https://cdn.shopify.com/s/files/1/0430/1760/1181/files/bileduzezozisupapewejuba.pdf
- https://cdn.shopify.com/s/files/1/0430/9961/9492/files/enrollment_form_sample.pdf
- https://cdn.shopify.com/s/files/1/0435/0817/0918/files/213608480.pdf
- https://cdn.shopify.com/s/files/1/0438/6576/8096/files/74428097686.pdf
- https://cdn.shopify.com/s/files/1/0431/2760/3354/files/metallica_enter_sandman_tab.pdf
- https://cdn.shopify.com/s/files/1/0434/5780/6488/files/kakudejukafikunu.pdf
- https://cdn.shopify.com/s/files/1/0433/7342/8888/files/gijike.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005db8.bin` `d50d0886eb850302cb2ce6e3fdca6832f0103c1dc6be60c0489b5c71d19ede12`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5DB8	4908 bytes
`font_01_sfnt_off00006e82.bin` `fda762ec134ea3dfcae780b0522963525e7104530d9737a0f3a5f8058e1bf2a6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6E82	10580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.