PDF malware analysis — malicious · 6f55e5f70ed27f68

MALICIOUS

PDF

42.4 KB Created: 2020-10-18 04:21:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10

MD5: 0f9b5505726de580f16f715603807d43 SHA-1: 5c8415192197510cbe80c20814d3f9c3b79e2dc2 SHA-256: 6f55e5f70ed27f684f12fb347df14595f58e63ec472406aa7a55156119f4f63b

194 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains embedded links that redirect to known malicious infrastructure, specifically a redirector URL. The document body, though heavily obfuscated, contains a URL that appears to be part of a phishing lure, likely attempting to trick users into downloading further malware or visiting a malicious site. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ggtraff.ru/123?keyword=smittybilt+spare+tire+carrier+instructions In PDF document text
- https://cdn-cms.f-static.net/uploads/4370266/normal_5f8a219480e38.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4376101/normal_5f8b5f38b144f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365560/normal_5f8714764bed2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366033/normal_5f8743de7825c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369665/normal_5f89ab6cc1fcb.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4382208/normal_5f8b703a7115c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4373778/normal_5f89dd6bb63ca.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4372382/normal_5f8b631bc5592.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367312/normal_5f8918caa4fe4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367004/normal_5f875ad7633a9.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4375894/normal_5f8b2d1d8fb26.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4368954/normal_5f8822edb79be.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://cdn.shopify.com/s/files/1/0500/3250/9085/files/47609238917.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0432/4845/1739/files/6230236808.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0439/2094/9403/files/tagekufe.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0439/4916/2654/files/65662832593.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0430/8864/2197/files/lawoso.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0440/7777/7061/files/7701226491.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0268/7608/4424/files/wow_classic_warlock_pve_professions.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0495/9902/1220/files/midobewevebabanax.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006693.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6693	5424 bytes
SHA-256: `e6f58bbb981deefdb83c199e57d957b08adcdaf6d44820bf046361e022eb6b47`
`font_01_sfnt_off000078e6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78E6	10440 bytes
SHA-256: `5e988c13388a1fde23941856fb1182d600ea90bb65252e28c183e99145bf83b8`

Open this report in the interactive analyzer, or submit your own file for analysis.