PDF malware analysis — malicious · 9403a3c33cec828b

MALICIOUS

PDF

251.5 KB Created: 2020-08-02 23:18:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c9df899f2a4cb5f171325a093b155e80 SHA-1: 6678f0a1b0942c01c302f69a28a2a55383c2a955 SHA-256: 9403a3c33cec828bf4075de66cf8508096dfb13b912614edd36c0ab71debc7a9

92 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains an embedded URL that points to a known malicious redirector. The ML classifier also flagged this PDF with high confidence. The document body, though heavily obfuscated, contains a reference to the same malicious URL, suggesting it's the primary mechanism for luring the user to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=morrowind+short+blade+trainer
- http://files.shadowofthestatue.com/uploads/1/3/1/3/131398091/eb25d.pdf
- http://files.lagrangehorse.com/uploads/1/3/1/3/131383665/6dd7bab24de8616.pdf
- http://files.foodloveblog.com/uploads/1/3/1/3/131380868/vosirijofa.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/fulefevizurosojasi.pdf
- https://cdn.shopify.com/s/files/1/0428/8105/6935/files/86448271840.pdf
- https://cdn.shopify.com/s/files/1/0430/8667/6117/files/texogakewefovodig.pdf
- https://cdn.shopify.com/s/files/1/0427/9821/9420/files/fupezufaxaguxodemanuwawo.pdf
- https://cdn.shopify.com/s/files/1/0435/1347/9320/files/86777509383.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/3789128943.pdf
- https://cdn.shopify.com/s/files/1/0428/5018/9478/files/kupexejodofogedoma.pdf
- https://cdn.shopify.com/s/files/1/0434/2031/9893/files/muporaxodosajaf.pdf
- https://cdn.shopify.com/s/files/1/0431/7102/0964/files/20632549921.pdf
- https://cdn.shopify.com/s/files/1/0430/6645/8266/files/poxidegobupipitomebegat.pdf
- https://cdn.shopify.com/s/files/1/0437/0300/9434/files/kowivipezirusumatoripiw.pdf
- https://cdn.shopify.com/s/files/1/0430/1396/3935/files/jeser.pdf
- https://cdn.shopify.com/s/files/1/0432/0709/8529/files/bizarixagunabekam.pdf
- https://cdn.shopify.com/s/files/1/0429/9846/4661/files/77218656562.pdf
- https://cdn.shopify.com/s/files/1/0437/9839/7085/files/47299443814.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0003a63c.bin` `8140cde7bcdac7591317050cf0edd7efe531461d5c1995ebd24db266222ad023`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3A63C	5152 bytes
`font_01_sfnt_off0003b7d2.bin` `1b2bbe03780c9ebb9c5f395e3ce1bfe0d815ce29fe7a895fa19258436973d28c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3B7D2	12188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.