PDF malware analysis — malicious · 891e307277970d81

MALICIOUS

PDF

74.4 KB Created: 2020-11-13 22:52:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b0a83ce1af37c64bd4e6485c164a9eee SHA-1: e95f4a4f06943e7c4e3c9c89a8e84fa8de8f8d79 SHA-256: 891e307277970d815af649c11c6b1387b3bdd5a27e2574c7c56e6702374eb944

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://cctraff.ru/123?utm_term=magic+bullet+deluxe+26+piece+canada'. This URL is known to be associated with malicious activity. The ML classifier also strongly flagged this PDF as malicious. While no scripts were extracted, the presence of a malicious URL within the PDF structure strongly suggests a phishing or malware delivery attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/123?utm_term=magic+bullet+deluxe+26+piece+canada
- https://cdn-cms.f-static.net/uploads/4366346/normal_5f8818de7d7b2.pdf
- https://cdn-cms.f-static.net/uploads/4450418/normal_5fa3741090685.pdf
- https://cdn-cms.f-static.net/uploads/4367301/normal_5fa4e75b3e595.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/c754b926-f9b9-4042-8f2c-2e8ec449586b/16304941267.pdf
- https://uploads.strikinglycdn.com/files/6d5b6a13-04c3-41a9-86fe-9f8c72f18985/the_natural_way_to_draw.pdf
- https://uploads.strikinglycdn.com/files/cad3b94b-e00d-402b-92be-e5de6cb5fa3c/goleman_emotional_intelligence_scale.pdf
- https://uploads.strikinglycdn.com/files/1dda6159-60b2-4441-b411-67f7b47f5917/on_monday_when_it_rained_lesson_plan.pdf
- https://s3.amazonaws.com/sazixipame/81094351708.pdf
- https://uploads.strikinglycdn.com/files/b290bc76-d216-4407-9556-69b45ec59404/ruriposemofegiwebi.pdf
- https://s3.amazonaws.com/fizaxo/cch_chnh_file_b_ngc.pdf
- https://uploads.strikinglycdn.com/files/9f22a338-7444-4aeb-b95c-319ed4e253f2/87049526220.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e494.bin` `67ccf1c7d6a6fc699834f936fdba8062925cc9dbd3c6fe41630eabf6ad743a52`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE494	5468 bytes
`font_01_sfnt_off0000f74c.bin` `72ac81e685854ab720e75043b39767a6b72388057e66512ee7e8fb6381fb705e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF74C	11336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.