PDF malware analysis — malicious · 810d5f1f2df026f7

MALICIOUS

PDF

73.5 KB Created: 2020-12-17 23:39:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11

MD5: 89079d72db3cb92124523b265837ec37 SHA-1: 322e9a7d06c7df10d90bf7b76a93d39ce66ce205 SHA-256: 810d5f1f2df026f715ebd00562da682be40463c90cb93fc111d8ba2318ace6b6

214 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by multiple heuristics, including a critical finding for linking to known malicious redirector infrastructure. The embedded URL, 'https://ggtraff.ru/123?utm_term=who+is+mark+harmon+married+to+in+real+life', is likely part of a phishing or scam campaign designed to redirect users to malicious content. The ML classifier and ClamAV detection further support its malicious nature, classifying it as a phishing trojan.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ggtraff.ru/123?utm_term=who+is+mark+harmon+married+to+in+real+life In PDF document text
- https://static.s123-cdn-static.com/uploads/4481841/normal_5fc90294064ba.pdfIn PDF document text
- https://vugiwaxe.weebly.com/uploads/1/3/4/7/134739196/7529223.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://static1.squarespace.com/static/5fc5de1b7848ba205d3add58/t/5fcd599feb18547f4b956ea8/1607293344825/tizogugubaxowofanekisolez.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/526ee37f-800d-4bf0-b4cc-89a440f62323/xobefusevanomajuxute.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/29cfec60-13f6-4b81-93a4-8862e0006f17/65817428100.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc7979cc2869f0c81c41b6b/t/5fcd010feb18547f4b87b17a/1607270675540/63737295739.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc702bd03f04e270fe2153a/t/5fcafb1b9708706f3992efec/1607138075393/pupunomoborijirisamevu.pdfIn PDF document text
- https://s3.amazonaws.com/zifozujiwi/84579717929.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc3963c12facd59cebdd614/t/5fd1af64eeaf2774ac8b21ec/1607577447228/domabija.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d5897352-ca9e-4d30-bd13-e5fecf20745e/pinikefesowa.pdfIn PDF document text
- https://static1.squarespace.com/static/5fcf0d4c7d46c3615fb05a19/t/5fd60ee07fc52c20691a84ee/1607864033659/45189904428.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc506b4e5c7695ca9b60c25/t/5fcd4377c836a917f91a2412/1607287672134/20390832222.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc654f3239b072291564cc4/t/5fd6342aab1a676c7287f1ac/1607873578939/ledazipalifoxiwogi.pdfIn PDF document text
- https://s3.amazonaws.com/wozowuledij/4213955284.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5646e0ee-6c82-49c1-b935-4ad7358212bb/sanonebezune.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2b334c90-d8fa-45f4-bf0b-a0807cb05c0a/12954436543.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d766.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD766	5012 bytes
SHA-256: `4d9dcb385fef00020ceadb003f694811140122174b2e9c78848536b2bf8594af`
`font_01_sfnt_off0000e846.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE846	10180 bytes
SHA-256: `9cfd042663d7d07c777c8ce9bc4ff3a6463a916018019eff28393641fcefa219`
`font_02_sfnt_off00010ade.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10ADE	4324 bytes
SHA-256: `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`

Open this report in the interactive analyzer, or submit your own file for analysis.