PDF malware analysis — malicious · be627d3e9103fe91

MALICIOUS

PDF

47.2 KB Created: 2020-10-30 06:21:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ef17510056f2c58593c04639e917ae18 SHA-1: da260dfa89923a672efc37d83110237383413c53 SHA-256: be627d3e9103fe910d0ba9b5a4fe362c6e58d233099fa8d5487456c12378588e

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by an ML classifier and contains a link to known malicious redirector infrastructure. The embedded URL 'https://gettraff.ru/aws?keyword=sith+raid+phase+1+best+teams' is the primary indicator of malicious intent. While no scripts were extracted, the presence of a malicious link within a PDF document strongly suggests a phishing or malware delivery attempt.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gettraff.ru/aws?keyword=sith+raid+phase+1+best+teams
- https://cdn-cms.f-static.net/uploads/4401716/normal_5f955bf3a707c.pdf
- https://cdn-cms.f-static.net/uploads/4375083/normal_5f8b8ec4302ca.pdf
- https://cdn-cms.f-static.net/uploads/4403806/normal_5f92fcfdab2d2.pdf
- https://cdn-cms.f-static.net/uploads/4367952/normal_5f96886e54adf.pdf
- https://cdn-cms.f-static.net/uploads/4403681/normal_5f9b52b304f05.pdf
- https://kunizemofowirux.weebly.com/uploads/1/3/4/3/134311671/f3553e03e5.pdf
- https://vuxozajuje.weebly.com/uploads/1/3/1/3/131379873/rugatu-rugot.pdf
- https://cdn-cms.f-static.net/uploads/4369647/normal_5f8b8ff1a576e.pdf
- https://cdn-cms.f-static.net/uploads/4381289/normal_5f92396acfe72.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0437/3338/5381/files/30564541636.pdf
- https://cdn.shopify.com/s/files/1/0430/8339/9329/files/fabius_plus_service_manual.pdf
- https://s3.amazonaws.com/zerejibixupav/wareguwaxa.pdf
- https://cdn.shopify.com/s/files/1/0431/4896/8100/files/super_vpn_pro_apk_2.1.0.pdf
- https://cdn.shopify.com/s/files/1/0266/8003/3474/files/zaparewezilopuj.pdf
- https://s3.amazonaws.com/labitajaxatufib/88150469555.pdf
- https://cdn.shopify.com/s/files/1/0495/5317/8791/files/hcf_and_lcm_worksheets_for_grade_7.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000780f.bin` `79c0c59e1515d2b060a36b6e8091227c37bdd3bdc494ccceac66c7a40a16aa9c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x780F	5460 bytes
`font_01_sfnt_off00008a72.bin` `9cdb336a1fa52ebfb5433bc2989193fe8d16a50d0770c3a47d89542ec91647dd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8A72	11064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.