PDF malware analysis — malicious · 7951b0440b445605

MALICIOUS

PDF

58.3 KB Created: 2020-11-09 12:10:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 48588bb8dd872ee6b7207f1506be27d8 SHA-1: 126afbe3c5927fe6ac630cea8624cf78ac33ce85 SHA-256: 7951b0440b4456051aececf9ec6cf945b4ee8bc8c06544cb48f96e97b1d96ba4

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, disguised as academic material. The ML classifier strongly flagged this PDF as malicious. The embedded URL, https://ggtraff.ru/123?keyword=january+2017+algebra+2+regents+answers, is the primary indicator of malicious intent, likely leading to a further stage of attack.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ggtraff.ru/123?keyword=january+2017+algebra+2+regents+answers
- https://cdn-cms.f-static.net/uploads/4371246/normal_5fa7e0be55faf.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://s3.amazonaws.com/fodose/lijave.pdf
- https://uploads.strikinglycdn.com/files/9fe15270-f70d-4a2f-9613-9fc30e24b095/61551416714.pdf
- https://uploads.strikinglycdn.com/files/8eb1b134-89cb-43b1-b204-8885f156632e/vehicle_bill_of_sale_texas.pdf
- https://s3.amazonaws.com/mamukawaxatali/asme_standards.pdf
- https://s3.amazonaws.com/divelatoxa/kevin_hearne_a_prelude_to_war.pdf
- https://s3.amazonaws.com/fapaga/933642925.pdf
- https://uploads.strikinglycdn.com/files/2cff9087-2164-4448-a033-bb8ea01c7265/laziwuduwagalufetila.pdf
- https://s3.amazonaws.com/kubafezin/jailbreak_2_games_for_pe.pdf
- https://s3.amazonaws.com/luropi/ziwevejidugu.pdf
- https://s3.amazonaws.com/lurutopobi/tejido_crochet_para_bebes.pdf
- https://s3.amazonaws.com/peveziwoguxuzam/24718634897.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007ce3.bin` `c7e23f21c6bdeb8db9515763facabfb2d7e54c8ff47d34301ceac75d2145ad16`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7CE3	5304 bytes
`font_01_sfnt_off00008f19.bin` `4ce9e7962bed396acebfeaa3c0a30d4d78c3e093f922a6cb6a1aaa7d08cc72b0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8F19	11668 bytes
`font_02_sfnt_off0000b719.bin` `4d34b729cd27449460e0a4cb10fd9b82f83ff2e24000bb4c65157dc9f2b0e44a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB719	16092 bytes
`font_03_sfnt_off0000cbda.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCBDA	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.