PDF malware analysis — malicious · c69a867b36ba1820

MALICIOUS

PDF

42.4 KB Created: 2020-10-05 05:43:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26

MD5: 24d40d82f427a7aa7f16ec95c1301ec0 SHA-1: adb7910d01e9e8356012b8576129ae7e7dbe47d8 SHA-256: c69a867b36ba18208663fdc469653bc6dbf921440b157dd49f7eb4cc8ec003ba

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF was flagged as malicious by an ML classifier and contains numerous embedded URLs, with one identified as a known malicious redirector. The heuristic firings indicate this PDF is part of a link farm, likely designed to manipulate search engine results or direct users to malicious sites. No scripts were extracted, and the document body is heavily obfuscated, preventing a deeper analysis of its specific lure.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gettraff.ru/strik?keyword=haridaspur+paradip+railway+company+limited+annual+report In PDF document text
- http://files.freemantherapy.ca/uploads/1/3/1/3/131380550/1274156.pdfIn PDF document text
- http://files.mrtidycarwash.com/uploads/1/3/0/8/130874101/berubilavofegoko.pdfIn PDF document text
- http://files.fierceghouls.com/uploads/1/3/1/1/131164314/3c43292effb9ff.pdfIn PDF document text
- http://lepis.nadiaslamode.com/uploads/1/3/2/6/132696323/9126087.pdfIn PDF document text
- http://files.scottwolfguitar.com/uploads/1/3/0/7/130776099/zezozubumo-tisarolotalijun.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/a9239414-780c-4c30-8182-28126c874898/72050518947.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3c28f1ad-eba8-499a-92a6-424d223cff5a/ponaruguxa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5a50cb3e-5e7f-46c3-bf84-b9b22f51c1fc/zekubujibulufo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f9feb7b2-b35a-4ffd-bf4d-786a2e0fc6d7/28402717982.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0484/9883/5611/files/doom_triple_pack_hacked.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0483/3106/3449/files/27008226523.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0435/1868/9434/files/52365477344.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0441/4016/7320/files/gugoma.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cb4db386-7c8b-473f-9ade-736358c86eb5/dovogibibiba.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f2444b2a-88f3-41d6-873e-f0132dceb17d/ziziniwalemagaf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fa2471ca-efa6-41d6-8ed8-028d6c7b897b/33798086607.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8c573bc6-da5e-4b92-85bc-76a206b74d0b/51424138654.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000573d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x573D	5256 bytes
SHA-256: `9ffa687a3505a0a5d9300a0710184f2430df62440959f2d8dba2e3c27cb1d34d`
`font_01_sfnt_off00006912.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6912	10356 bytes
SHA-256: `1d40ea5cd8f7cf487ae366d0fc8218230503bc28592a1d5b8025a4de54e5bd33`
`font_02_sfnt_off00008c64.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8C64	4324 bytes
SHA-256: `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`

Open this report in the interactive analyzer, or submit your own file for analysis.