PDF malware analysis — malicious · a4237ac1a62d7571

MALICIOUS

PDF

51.3 KB Created: 2020-10-19 22:33:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-25

MD5: a8ab62b4a690667e7c5738a11d68ce1f SHA-1: 64c513b90250c34cc010db8d636021f397e8ea5c SHA-256: a4237ac1a62d75716fe066789a2bee951a36a60ba5ead0640bdff634217057cf

134 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/123?keyword=bulova+marine+star+instructions In PDF document text
- https://cdn-cms.f-static.net/uploads/4378164/normal_5f8bab2a49d4e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367304/normal_5f8bde894f049.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365583/normal_5f89f54612028.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4370285/normal_5f8b275d8dada.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4373519/normal_5f8cb81fc9b69.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4368997/normal_5f89227a2c6e6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366388/normal_5f8d3eb45a664.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365634/normal_5f88531fbcdbd.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4372383/normal_5f89f25c3d5e9.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366050/normal_5f87bf8552d67.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369505/normal_5f8cf51c2f861.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4388612/normal_5f8d607736819.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4371536/normal_5f8bc1dedd111.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383471/normal_5f8cfa6668c2b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4376625/normal_5f8b48a51c07e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366335/normal_5f876528afa84.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/99419995-07ed-44d1-a33d-d223e15712c2/5430359729.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7895f561-b0a2-427a-a12d-0b09f3d03827/93577153588.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e1bb36aa-9a4f-4725-b971-5ce065d02d9b/xuzowobevenazolowakili.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/97a5033b-60bf-4937-8c0c-68d52964d944/jawemisidowumalefifori.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3f125e47-910b-47f0-a046-ca519dd46a03/81735668137.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/61a4c8a4-5378-40f7-990e-acf9215d24a4/ielts_liz_agree_disagree_essay_sample_answer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a56af4ea-f03a-44e8-a415-2321be81e530/2869065712.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2262fe1e-c6ff-42aa-9835-331e102b2b79/rebazeme.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0db62b8b-5d9b-4723-ab29-b75d4f66e31a/kaludajalozi.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000736d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x736D	5052 bytes
SHA-256: `f8ec7a5c5ec34a2b95fe94abf0640f5c03b4ecefe14e19c718569d61075b2ffd`
`font_01_sfnt_off00008488.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8488	10492 bytes
SHA-256: `02e0f1f42c7a0082b565acc91f5ff88c4af7eb33530dfb197c5ef53aba82286c`
`font_02_sfnt_off0000a871.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA871	16092 bytes
SHA-256: `9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2`

Open this report in the interactive analyzer, or submit your own file for analysis.