PDF malware analysis — malicious · 8db36009526014c4

MALICIOUS

PDF

45.3 KB Created: 2020-11-02 04:44:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7e453d4085c3fe3033739889e7381cd3 SHA-1: 99ca932dca53d795138e63b67a4ecd0e08e869dd SHA-256: 8db36009526014c44440180e6b917787d9fdd1bc974f97d7d7d873bc7920e393

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, ggtraff.ru, which is disguised as a study guide. The ML classifier also strongly flagged this PDF as malicious. The embedded URL is the primary indicator of malicious intent, suggesting a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ggtraff.ru/aws?keyword=chapter+9+study+guide+chemical+reactions
- https://zoxamadafipezo.weebly.com/uploads/1/3/1/1/131164297/luwojovuj.pdf
- https://niliwuwez.weebly.com/uploads/1/3/4/2/134265541/3b6039fea44.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://s3.amazonaws.com/wujapu/16438097564.pdf
- https://cdn.shopify.com/s/files/1/0503/4465/7059/files/33236571278.pdf
- https://cdn.shopify.com/s/files/1/0484/0567/6192/files/smite_evil_pathfinder.pdf
- https://s3.amazonaws.com/bejenosugede/58613760860.pdf
- https://cdn.shopify.com/s/files/1/0266/8996/2181/files/xamexavo.pdf
- https://s3.amazonaws.com/dinigugaxej/vipod.pdf
- https://uploads.strikinglycdn.com/files/f604d1c0-a50c-41b7-807e-fd494c2ff991/vestidos_de_novia_en_miami.pdf
- https://cdn.shopify.com/s/files/1/0497/3160/0538/files/navy_lace_plunge_bodycon_dress_missguided.pdf
- https://cdn.shopify.com/s/files/1/0506/1004/5085/files/filoberonubebonuro.pdf
- https://s3.amazonaws.com/lovetijif/tipozenawusupalopolamaj.pdf
- https://s3.amazonaws.com/davubewu/a_wrinkle_in_time_chapter_6.pdf
- https://s3.amazonaws.com/fasanag/accounting_standards_6.pdf
- https://s3.amazonaws.com/bodepova/what_does_oy_vey_mean_in_yiddish.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000062f2.bin` `f848400b128956f1df65eff975467abde839286c907bc7c35a741b49b35d0f2d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x62F2	5648 bytes
`font_01_sfnt_off0000760f.bin` `814d2aab277362416755c95d752603019c0ea3dd1517200e930b1486958b0865`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x760F	10688 bytes
`font_02_sfnt_off00009a5a.bin` `7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9A5A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.