PDF malware analysis — malicious · a6db109decc8bfaa

MALICIOUS

PDF

52.4 KB Created: 2020-09-30 00:25:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 30bf5d379d4dde53901622c8ce7f2604 SHA-1: 1759cc7100132e81605ca21c50dd99839fc5cbef SHA-256: a6db109decc8bfaa513919ed3a4ee3c4f5f1041fc017b91ec47bd441d83d7c51

92 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by a machine learning classifier and a critical heuristic for linking to known malicious redirector infrastructure. The primary malicious URL identified is https://cctraff.ru/strik?keyword=kandinsky+concerning+the+spiritual+in+art+pdf. The document body contains obfuscated text and metadata suggesting it was generated by wkhtmltopdf, a tool often used to create malicious PDFs.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/strik?keyword=kandinsky+concerning+the+spiritual+in+art+pdf
- http://files.waukeshacountyconservatory.com/uploads/1/3/0/9/130969989/vobodokoze-filelesiwof-pevawuforewine.pdf
- http://files.melissaleighgibson.com/uploads/1/3/2/8/132814086/2285212.pdf
- http://matag.richardbogle.com/uploads/1/3/1/4/131437130/1177433.pdf
- http://files.1boxonline.com/uploads/1/3/2/6/132696351/kirixetibomosusalo.pdf
- http://files.florablackett.com/uploads/1/3/1/3/131383727/7501434.pdf
- http://matag.richardbogle.com/uploads/1/3/1/4/13143713
- https://cdn.shopify.com/s/files/1/0434/4994/2176/files/81993316427.pdf
- https://cdn.shopify.com/s/files/1/0428/9763/7539/files/sukukejibotipipomefir.pdf
- https://uploads.strikinglycdn.com/files/187c9dee-d461-41c3-a8f2-ef52a4f168a6/julezuviwaru.pdf
- https://uploads.strikinglycdn.com/files/ba0161cf-c41b-491a-8ca9-e4f2c29796c9/goxufalepaxej.pdf
- https://uploads.strikinglycdn.com/files/b4b5d033-f9c8-4fdb-b684-4d29b51da196/zojeno.pdf
- https://uploads.strikinglycdn.com/files/503dfb29-ce2e-4d92-a3ae-33410371c9c8/39973603350.pdf
- https://uploads.strikinglycdn.com/files/7f9fbeda-34b0-42b0-bb54-413f66ca1a32/63936356365.pdf
- https://uploads.strikinglycdn.com/files/4899b4d8-3b14-4357-9882-f9404e4d52b6/93515034308.pdf
- https://uploads.strikinglycdn.com/files/e2f22488-dd16-4907-a372-baa1c0396fc4/51030671713.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008e2e.bin` `72780bdcfdf431f2f01a7f9495e6bad51acadd0172ddf72404956f63dc340bb1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8E2E	5552 bytes
`font_01_sfnt_off0000a11b.bin` `d85707518b430e554dc20aa6d46764f5979bec3eb729ee5ffed7cc18111553d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA11B	10300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.