PDF malware analysis — malicious · 92aaea463b796e11

MALICIOUS

PDF

56.6 KB Created: 2020-10-30 05:11:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3c78d7ae5f3a1336a72002cacf2516e1 SHA-1: 51abbbc4ec06378e8d1c1af1ddfe4e40500e7218 SHA-256: 92aaea463b796e11a9572edb4f42c180dfe45131b41fbb9b4f709eead369206d

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link to a known malicious redirector infrastructure, indicating an attempt to lead the user to a harmful destination. The ML classifier also flagged this PDF with high confidence. The document body contains the same malicious URL, suggesting a phishing or scam attempt.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/123?keyword=tablets+vs+textbooks+articles+2018
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://cdn.shopify.com/s/files/1/0499/8148/9303/files/jaduwenis.pdf
- https://s3.amazonaws.com/fuwawibu/medical_bacteriology_a_practical_approach.pdf
- https://uploads.strikinglycdn.com/files/a51f3c29-db68-44cb-87e5-a8050046b7f0/gemezibarunojifiza.pdf
- https://cdn.shopify.com/s/files/1/0506/2541/3281/files/vitosotakefoxivefodal.pdf
- https://uploads.strikinglycdn.com/files/56b5b859-617a-48f6-960d-6c89098d20d7/sigexotilapaf.pdf
- https://uploads.strikinglycdn.com/files/7a7c60b3-86d4-4aac-9493-d58f0d0930e3/meturavatavivasikawak.pdf
- https://cdn.shopify.com/s/files/1/0502/4540/2797/files/30678756504.pdf
- https://uploads.strikinglycdn.com/files/f87c7f60-67d7-4b16-a8dd-08f1fdf0ba64/xisoratal.pdf
- https://uploads.strikinglycdn.com/files/d50e27b1-dd93-4251-a8be-95c47830602b/15810733805.pdf
- https://s3.amazonaws.com/sugaguxagu/zefiwofafuze.pdf
- https://uploads.strikinglycdn.com/files/4f1f2232-bf20-4f8d-a079-e630d1a934e2/59080908004.pdf
- https://uploads.strikinglycdn.com/files/7d845311-05cc-4906-9a17-28d4fca789f5/rufawedatemedulalafa.pdf
- https://cdn.shopify.com/s/files/1/0500/9126/2123/files/59125629079.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009062.bin` `3e27d0d647533c3634cc6702f9261276f83dfe45896ef112e26194f2085a4e96`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9062	5276 bytes
`font_01_sfnt_off0000a26f.bin` `0fc6bb9ae69100a7dcbe4e73ec2c0424305c723366e32a139de25c9f589c124c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA26F	10792 bytes
`font_02_sfnt_off0000c73a.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC73A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.