PDF malware analysis — malicious · cd1ea99f6667b26c

MALICIOUS

PDF

77.6 KB Created: 2020-11-20 22:00:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13

MD5: 937fceeae714f5272822ad99f309f7ea SHA-1: e4c741166c444d8733fcf9cdf05c69523c135fd8 SHA-256: cd1ea99f6667b26cb228174ade47b0a856eb6bdf234411793035d9279f544c09

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a malformed exploit stream and a high-confidence ML classifier flagging it as malicious. It also includes a lure for a free download, linking to a redirector URL. While no scripts were extracted, the PDF structure and embedded URI suggest a phishing attempt to trick users into downloading potentially malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH

A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafffi.ru/aws?utm_term=adb+driver+xiaomi+redmi+note+2 PDF link annotation
- https://cdn-cms.f-static.net/uploads/4419206/normal_5f9a5154ca29a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4474978/normal_5fad9843d0736.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/9f4c2172-148f-411e-9f1d-2dab2697a1b5/lomom.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f390f662-4d4e-4fc9-8f5f-9246748f64ef/navy_federal_notary_fees.pdfIn PDF document text
- https://s3.amazonaws.com/xabalaru/wawamo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aabee511-6001-4cbd-950a-dd81e49651f7/kenneth_blanchard_books.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/23122880-0d4a-41b8-808c-81466a9b4982/el_verbo_tener_worksheet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1912bf33-4ddb-4cef-a56c-95a68dc71aa7/dafiwiper.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f1eaed33-2f9a-4479-ac2b-6bdf8e047c27/zubabekoxodaguwa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6faa8ad5-6dde-48e6-8950-986e0c915b15/wifi_transfer_pro_apk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dbed3453-6194-4fcb-a5a3-8a6f0bd6d471/ap_psychology_study_guide_answers_ch.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f970e5e6-5daa-4fe5-a3d9-be9fd5a10833/nfl_color_codes.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d6616b48-591a-4865-a622-1215124503bc/red_rocks_seating_chart_tedeschi_trucks.pdfIn PDF document text
- https://s3.amazonaws.com/muvevanepen/kahoot_bot_ios.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_005_off000108bf.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x108BF	19868 bytes
SHA-256: `6414866e17faa0cecf6326990a55da5138b9b0ed9badf905d5f42201db4c54b1`
`font_00_sfnt_off0000d0f1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD0F1	5152 bytes
SHA-256: `1fedc25abaa40c5266c9e896f588d3223d285072238a7225d7eba23c8daf671e`
`font_01_sfnt_off0000e268.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE268	11168 bytes
SHA-256: `a9fabf0015c328c360d59bd2ffe7651526d33c949e4b44f40b74f9e325a99005`

Open this report in the interactive analyzer, or submit your own file for analysis.