PDF malware analysis — malicious · b1e7dc459f15806a

MALICIOUS

PDF

69.8 KB Created: 2020-11-23 19:52:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 782fd515bad87da49e3ecd181a4f46e0 SHA-1: 0960cceb5eee7db5328c9434250d32a351e1c013 SHA-256: b1e7dc459f15806aa95fd1fe14c24d485dc3603e84a99ab8ebe3b14d49f21d03

214 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple heuristics indicating malicious redirection and link farming. Notably, it links to known malicious redirector infrastructure and exhibits characteristics of a PDF link farm. While no scripts were extracted, the presence of embedded URLs and the critical heuristic firings strongly suggest a phishing or redirection attempt, likely delivered as a spearphishing attachment.

Machine Learning

Nyx PDF Classifier malicious score 0.9560

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gettraff.ru/strik?utm_term=chevy+tahoe+ltz+2016
- https://cdn-cms.f-static.net/uploads/4481072/normal_5fa6d4aa1b013.pdf
- https://cdn-cms.f-static.net/uploads/4420240/normal_5fad567d6872d.pdf
- https://cdn-cms.f-static.net/uploads/4489834/normal_5fac1b57cddbc.pdf
- https://cdn-cms.f-static.net/uploads/4378379/normal_5fa06c4f02ef3.pdf
- https://cdn-cms.f-static.net/uploads/4378846/normal_5fa4c8c800ce8.pdf
- https://gimejexoxixaza.weebly.com/uploads/1/3/1/8/131872185/roriturosiw.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/367e3518-20ec-4e59-a7cb-c85b2383528a/gowodepivapidijogawok.pdf
- https://uploads.strikinglycdn.com/files/d4d78ac4-1dc2-4cdf-9a08-1a9f0460c4a7/rukemuzoxip.pdf
- https://uploads.strikinglycdn.com/files/242c4876-006b-4c5b-baff-2f68c81bb0f9/what_is_a_solvent_pair_for_recrystallization.pdf
- https://uploads.strikinglycdn.com/files/e4220df8-5865-4855-93d2-72963d5c26ea/thriving_plant_based.pdf
- https://s3.amazonaws.com/zemigiduwagafu/broker_fee_disclosure_form_california.pdf
- https://s3.amazonaws.com/xisefowu/pet_ranch_simulator_codes_mejoress.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d148.bin` `d8b7a3cba69e7002db5e6709386b0309689fce3ca4f78966f6ac1400c680dc4f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD148	5096 bytes
`font_01_sfnt_off0000e2ae.bin` `9296571da88c02db64d4f67e9517776053192493ec8bc543439b5b724f250745`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE2AE	16696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.