PDF malware analysis — malicious · aee6a222a2cf6865

MALICIOUS

PDF

63.9 KB Created: 2020-11-30 21:11:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 975889095986c859b11c4865c800e0bb SHA-1: 95c8ff7efa80dbf738121ed6c401bb59e9a7665c SHA-256: aee6a222a2cf68655c7bc108d7e042f483677545d89cb08fcc79cd809961a2e5

214 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of embedded links, with one critical heuristic identifying it as a link farm pointing to known malicious redirector infrastructure. The primary malicious URL identified is 'https://traffmen.ru/strik?utm_term=plan+with+tan+vap'. This suggests the document's purpose is to lure users to malicious sites, likely for phishing or to download further malware.

Machine Learning

Nyx PDF Classifier malicious score 0.9905

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffmen.ru/strik?utm_term=plan+with+tan+vap
- https://cdn-cms.f-static.net/uploads/4386092/normal_5f93416b35811.pdf
- https://cdn-cms.f-static.net/uploads/4370087/normal_5f892bcb9b0a4.pdf
- https://parudebizaju.weebly.com/uploads/1/3/4/0/134096066/25725e4b34.pdf
- https://cdn-cms.f-static.net/uploads/4417025/normal_5f9b72ebe9691.pdf
- https://cdn-cms.f-static.net/uploads/4369491/normal_5fc149116add8.pdf
- https://cdn-cms.f-static.net/uploads/4370304/normal_5f895927649e1.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/193bef44-0936-47b4-a978-452da0586bb2/67792199387.pdf
- https://s3.amazonaws.com/gifiz/10083635382.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b728.bin` `aff11289bf87f92bc53c0e2abc335208e29b6db8a954e82fd0a5595ffa95d344`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB728	2880 bytes
`font_01_sfnt_off0000c166.bin` `f60a52fc1827095d4c4e9b189cfbf722eef7a46cd9ab38cdf768cfb779700920`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC166	4788 bytes
`font_02_sfnt_off0000d1c6.bin` `35171243f7b6e51298167b7e9513873fd24958c425ddbe2c433664ad838be4fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD1C6	10044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.