PDF malware analysis — malicious · c02bd0907fa4bc02

MALICIOUS

PDF

59.3 KB Created: 2020-12-04 08:36:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10

MD5: 66a45a787558206dfc8f9c0427a79840 SHA-1: 785034b2250e85b5b39d99b49529f8769d35527e SHA-256: c02bd0907fa4bc02b868f714cd6d1427e37964d1aff1a9eccd41726316bdfabb

194 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/aws?utm_term=ifrs+balance+sheet+template In PDF document text
- https://cdn-cms.f-static.net/uploads/4368991/normal_5f8f59bb4566a.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://static1.squarespace.com/static/5fc0f27ea13a450babf44921/t/5fc3987af81c9a2a0c108eb6/1606654075814/cheapest_leatherworking_guide_gw2.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1da35cb9-3e44-4346-a96a-c34f6b718835/lemexoko.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc106fbd49dd1244734cdd3/t/5fc7f33af6cc385c9ff339fc/1606939450752/wobud.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbceeff1491241adc443aed/1606217472117/15928125694.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fd4147da-8838-47ab-a35f-39b656056207/factoring_quadratic_equations_practice_worksheet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/52c63b1b-a2ce-4941-a924-f9baa8704c00/risituwusabu.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd400222e2ed11fd25ca72/1606238210390/pro_football_unblocked.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc1ae84085bf90c0e029602/t/5fc3a6659ee0f32b87c31b09/1606657645580/94001391718.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b9deace6-85d5-41b8-81db-f67d56d35c94/xerukipagoge.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc0dfe77d0c8f249d40ab54/t/5fc2959218e72e5fdb2be4a3/1606587795005/69486306877.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/926b325b-7e7d-4342-8451-8691816012e5/57779592406.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a750cf6f-79e6-4647-9cf9-bd21ff1e0c8f/kigatoganixap.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbfd308239b0722912b0841/t/5fc54d689b1ed035388c5fc3/1606765928226/sivaso.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc5b8d58ef7301f8b31fd81/t/5fc9b29c1a258d244fdbf94a/1607053981028/maze_runner_book_2_common_sense_media.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ae59.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAE59	5332 bytes
SHA-256: `99b0177cd1aab447e94a9b8a01e57622c6995665717b6c56f82ac2f8e603850f`
`font_01_sfnt_off0000c04e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC04E	9624 bytes
SHA-256: `b21be03c27bf11e3631ea0e91f6a15444589ddd35c7e849b77c7aaf33cb0dbab`

Open this report in the interactive analyzer, or submit your own file for analysis.