PDF malware analysis — malicious · a33a0f43f4f662c6

MALICIOUS

PDF

33.3 KB Created: 2020-11-03 02:28:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 78f7a617ff62869da635e8de362d23e9 SHA-1: 99dc934f031ac65491aff82bc70d6ca6b733915f SHA-256: a33a0f43f4f662c6aff663d73e128273848670c5aaddf5c9bd9c8ec232acc917

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://gettraff.ru/strik?keyword=sword+art+online+alicization+episode+13+dub'. Additionally, the ML classifier strongly flagged this PDF as malicious. The embedded URL is likely intended to lure the user into clicking and visiting a site that may host further malicious content or phishing forms.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gettraff.ru/strik?keyword=sword+art+online+alicization+episode+13+dub
- https://gapefupekud.weebly.com/uploads/1/3/1/8/131871489/b7968e81a.pdf
- https://rujasuxok.weebly.com/uploads/1/3/1/6/131606047/nasetibetimome.pdf
- https://rixokofumi.weebly.com/uploads/1/3/1/3/131380985/gaveded_ketoge_noximunevilimad_fenera.pdf
- https://mepagalupotope.weebly.com/uploads/1/3/4/2/134265457/6464477596788.pdf
- https://seguronudolag.weebly.com/uploads/1/3/4/4/134468074/zubupivudanibeje.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/tizowodifi/65694714167.pdf
- https://uploads.strikinglycdn.com/files/e41efede-6c35-4dea-a25c-a05e9632236d/suwini.pdf
- https://s3.amazonaws.com/novipaliwid/epidemiologist_definition_salary.pdf
- https://cdn.shopify.com/s/files/1/0486/0300/5086/files/ohsen_wr30m_watch_instructions.pdf
- https://s3.amazonaws.com/zedudo/mozateku.pdf
- https://uploads.strikinglycdn.com/files/0ad83c26-bceb-4b3d-9653-31f338794298/66687450842.pdf
- https://s3.amazonaws.com/felasorarabipis/gunolorukuvigeramifeju.pdf
- https://uploads.strikinglycdn.com/files/bbd8b476-fa27-4483-9928-9e56c6803617/kopoloxanuf.pdf
- https://s3.amazonaws.com/vexosafugunu/accounting_standard_3_notes.pdf
- https://uploads.strikinglycdn.com/files/755021ff-5e09-43df-bf98-b9ef9ba3908d/sizozefuzimazavologekizu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004591.bin` `b054eefade4bf2ab56430a76743fdf9ef8cd52aba1d0f6798bba0b4cb3fb758e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4591	5668 bytes
`font_01_sfnt_off000058fc.bin` `e5580f5e7e3d7d96b8cf84791ba061beb164ed4466da2ef23e9bf4d127110adb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x58FC	9116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.