PDF malware analysis — malicious · a4800dfbf04119ba

MALICIOUS

PDF

42.6 KB Created: 2020-10-23 18:53:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14

MD5: 988fc64dbc9dce65ef5c637cade13bff SHA-1: 359e5d4d4748e2376f8ff02b61fe7b05eb5a5dca SHA-256: a4800dfbf04119ba1f7c8c2c7672493632bd6b34c359dfb7de49dda3f52df01f

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by an ML classifier and contains a critical heuristic indicating a redirector link to known malicious infrastructure. The embedded URL `https://cctraff.ru/strik?keyword=volveria+a+mentir+evelyn+de+la+luz+t` is the primary indicator of malicious intent, likely serving as a lure for phishing or malware distribution. No scripts were extracted, but the presence of a malicious URL in a PDF strongly suggests a social engineering attack.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/strik?keyword=volveria+a+mentir+evelyn+de+la+luz+t In PDF document text
- https://cdn-cms.f-static.net/uploads/4369922/normal_5f89582f7a2ef.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4382201/normal_5f917e7a29d6f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4371498/normal_5f91a409a9a0a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4371809/normal_5f8d726b4c2ac.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4377938/normal_5f8d8f254f5fd.pdfIn PDF document text
- https://jazexupojofon.weebly.com/uploads/1/3/1/4/131409098/f54668ef5.pdfIn PDF document text
- https://babinekisifuve.weebly.com/uploads/1/3/2/6/132696104/nowuribinajefojavot.pdfIn PDF document text
- https://fijojonibiw.weebly.com/uploads/1/3/2/6/132681787/8279107.pdfIn PDF document text
- https://rixokofumi.weebly.com/uploads/1/3/1/3/131380985/6e2b73.pdfIn PDF document text
- https://wefamojugibe.weebly.com/uploads/1/3/1/1/131164519/3573319.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/cebeb84e-7a72-4f21-aa45-ce8f1afde38f/tutoliwurakip.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9a79a4dc-4906-42a9-9b68-054de115421c/soccer_head_championship_unblocked_games.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2c0204b9-17d4-45ee-bf81-0eecd428322b/15157356086.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/31127848-2a35-4e0e-b453-91bc1e36042f/50017867739.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/183925d1-e4fd-436b-92f3-33e064bc5874/firivasaxuzolaxa.pdfIn PDF document text
- https://s3.amazonaws.com/zirojopemup/indexing_and_abstracting_in_library_science.pdfIn PDF document text
- https://s3.amazonaws.com/leguvefu/83766938242.pdfIn PDF document text
- https://s3.amazonaws.com/mijedusovineti/pupopenosife.pdfIn PDF document text
- https://s3.amazonaws.com/gurowozenupifi/dosenoritulegipunalu.pdfIn PDF document text
- https://s3.amazonaws.com/vexeliku/89735365607.pdfIn PDF document text
- https://s3.amazonaws.com/zuxadol/rudolf_steiner_lucifer_et_ahriman.pdfIn PDF document text
- https://s3.amazonaws.com/leguvefu/brain_on_fire_memoir.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0432/5031/9528/files/48922039862.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0440/7744/9366/files/fivajamiwubajafis.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0433/8896/0933/files/yugioh_capsule_monster_coliseum_elements.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000593c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x593C	4852 bytes
SHA-256: `9715c420fffa12886ad1d79fc5321ca3a5e59c8a14fc6f35153d823729d3fb12`
`font_01_sfnt_off000069a7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x69A7	10856 bytes
SHA-256: `7e20c2f77ef426cee088c09034d5b58c5c0fd973241aad007b011ab85f17750f`
`font_02_sfnt_off00008c9c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8C9C	4324 bytes
SHA-256: `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`

Open this report in the interactive analyzer, or submit your own file for analysis.