PDF malware analysis — malicious · 78ec00075d152d75

MALICIOUS

PDF

123.8 KB Created: 2020-07-31 07:51:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4352a1287b7b054dfc5d9f99f0426d2a SHA-1: 7052fcf171ed87cce33a538a5eb94ffe91f69e16 SHA-256: 78ec00075d152d7586512c1d499334e8b2ea5494b5fd6843cabb03c0659b03c9

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm or SEO abuse tactic. One prominent URL, 'https://ttraff.ru/pify?keyword=free+aphasia+workbook+pdf', is flagged as a malicious redirector, indicating an attempt to lead users to harmful content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=free+aphasia+workbook+pdf
- http://files.painsfireworks.net/uploads/1/3/1/4/131437984/0500239.pdf
- http://files.myaurafinishingschool.in/uploads/1/3/2/7/132740949/178048.pdf
- http://files.the3gs.org/uploads/1/3/1/3/131380845/5681502.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0430/4538/8437/files/zimowabozurumogugapufane.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/75901524911.pdf
- https://cdn.shopify.com/s/files/1/0429/8991/2218/files/ginoxidiweb.pdf
- https://cdn.shopify.com/s/files/1/0438/0465/5773/files/10213659051.pdf
- https://cdn.shopify.com/s/files/1/0439/5276/7131/files/99363454102.pdf
- https://cdn.shopify.com/s/files/1/0433/8191/5798/files/51899593378.pdf
- https://cdn.shopify.com/s/files/1/0440/0496/6565/files/55984980977.pdf
- https://cdn.shopify.com/s/files/1/0431/1764/1879/files/tamoladimamatafixazipopeb.pdf
- https://cdn.shopify.com/s/files/1/0429/3161/7945/files/49059122994.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00019f7b.bin` `9a98637eb2d838a577054cac5c3ad02a520838937014e8de770fbcb5460feb0b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19F7B	4952 bytes
`font_01_sfnt_off0001b06a.bin` `afa6674eb58eca6331e7e7176465ae85d3e5b3bb0ea490ca1dc9d922d5b84fab`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1B06A	15668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.