PDF malware analysis — malicious · 8405d8c6b05a5845

MALICIOUS

PDF

37.7 KB Created: 2020-08-19 09:50:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a97cd3d8e3f2a1bcf91a52ca329bd5ff SHA-1: 18c1d4748ccc7c575abeb4d82067195c29014294 SHA-256: 8405d8c6b05a584593e447d11ced063aead58348516c0f371c3f779ada2d3454

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body and embedded links suggest a lure to a questionnaire, likely a phishing attempt. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=tesco+festive+questionnaire+answers+2018
- http://judab.trecceshoestop.com/uploads/1/3/0/7/130740051/bedazilifon.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0435/0689/2960/files/beta_sitosterol_review.pdf
- https://cdn.shopify.com/s/files/1/0429/7526/4919/files/importance_of_wastewater_management.pdf
- https://cdn.shopify.com/s/files/1/0428/1312/8867/files/womabepu.pdf
- https://cdn.shopify.com/s/files/1/0429/6245/2643/files/human_organs_systems.pdf
- https://cdn.shopify.com/s/files/1/0434/8172/7129/files/luwifarilo.pdf
- https://cdn.shopify.com/s/files/1/0432/1184/9890/files/segizisipekixadilaxa.pdf
- https://cdn.shopify.com/s/files/1/0440/2846/1206/files/adverbs_worksheets_for_grade_7.pdf
- https://cdn.shopify.com/s/files/1/0429/5717/6986/files/git_pull_changes_from_master_into_branch.pdf
- https://cdn.shopify.com/s/files/1/0432/2574/3515/files/low_platform_bed_frame_king.pdf
- https://cdn.shopify.com/s/files/1/0430/9018/2304/files/aditya_hrudayam_slokam_in_tamil.pdf
- https://cdn.shopify.com/s/files/1/0437/8905/8209/files/10x16_shed_plans.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000056b1.bin` `941cd751aeed610ae9de6dfb63cce03c946ddc9e91d6e69ee4074e5c893f008d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x56B1	5592 bytes
`font_01_sfnt_off000069e2.bin` `508b3711a8d30e622a41a9fa970203717862ef4c6cacc732e8c3e832f340db5f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x69E2	9492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.