PDF malware analysis — malicious · cd8f01fcc4a521b6

MALICIOUS

PDF

141.7 KB Created: 2020-10-07 00:41:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22

MD5: ce3998c762bd17410013f985e08bcfd5 SHA-1: e9df6d7697b79336f01fd598410d905045fddf1c SHA-256: cd8f01fcc4a521b68d848490d49184054261fd25c9193cea79c0fafa6ec7601d

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous links to external websites, many of which appear to be part of a link farm designed for SEO manipulation. One critical heuristic identified a link to known malicious redirector infrastructure, suggesting a malicious intent to redirect users to harmful sites. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector. No scripts were extracted, but the presence of numerous links and the malicious redirector heuristic strongly indicate a phishing or malicious content distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9694

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gettraff.ru/strik?keyword=the+meaning+of+life+hitchhiker%2527s+guide In PDF document text
- http://files.markst-photography.com/uploads/1/3/1/6/131606348/pegijilogenufiz-posimav-mojame-xopumojituzi.pdfIn PDF document text
- http://files.poochiezprojectz.com/uploads/1/3/1/4/131437932/doluje_nimozexedusi_lirelagebo_todenij.pdfIn PDF document text
- http://files.raynecreative.org/uploads/1/3/1/3/131378796/rabimivonavido.pdfIn PDF document text
- http://files.danikristich.com/uploads/1/3/1/4/131455398/pujamusitoba.pdfIn PDF document text
- http://files.riavandeneynde.studio/uploads/1/3/1/4/131406547/silititukaden_biginizabom_jositoxobebi_kemixemususagaj.pdfIn PDF document text
- https://site-1043601.mozfiles.com/files/1043601/jiregezijetesomegizikepun.pdfIn PDF document text
- https://site-1037275.mozfiles.com/files/1037275/88932631713.pdfIn PDF document text
- https://site-1036656.mozfiles.com/files/1036656/68343429472.pdfIn PDF document text
- https://site-1039707.mozfiles.com/files/1039707/mizekexomaxotebos.pdfIn PDF document text
- http://fedorahosted.org/lohitIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
- http://smc.org.inhttp://smc.org.inIn PDF document text
- http://www.opentle.orgIn PDF document text
- https://cdn.shopify.com/s/files/1/0431/1616/7328/files/43821845349.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0482/9878/6971/files/tamotowot.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0435/2871/6440/files/10653354196.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0428/8138/4604/files/legal_broad_statement_meaning.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0496/1258/7171/files/2011_ap_chemistry_free_response_answers.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
- http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
- https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
- http://sinhala.sourceforge.net/In PDF document text
- http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
- http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
- http://www.gnu.org/licenses/gpl.htmlIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 12

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_009_off00018000.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x18000	3204 bytes
SHA-256: `c664cd25de115e8c0c93622acd305f62e4baf2291abdc0f39b6a8f3395fbc04e`
`font_00_sfnt_off00012a98.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12A98	6744 bytes
SHA-256: `e9f3a927e3458f6a1a7f7e35368c85e2dc60181733f14bb34b66b8ddac533429`
`font_01_sfnt_off00014223.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14223	5484 bytes
SHA-256: `2abb90b718a220d43a5614f2ac7397fcdb33678e3dd7c4e6dfd0c75e82904fa7`
`font_02_sfnt_off000154a2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x154A2	3792 bytes
SHA-256: `1fd464739946460e833ade7eb0aa23b85dc4b12a492f056daa29606439ddb77d`
`font_03_sfnt_off0001628c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1628C	4892 bytes
SHA-256: `ae5bed0e8b76699c154df46243735ea5c56d3c078ba71df27917dbddcc8dd85d`
`font_04_sfnt_off00017262.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17262	3600 bytes
SHA-256: `65944923517efc808ef7f8157f370a9959c2fd844649df614385eb8cb2f742fe`
`font_06_sfnt_off00018ce6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x18CE6	5612 bytes
SHA-256: `3d802cc5995d55f536a17739b8feb7207f58781f341115108218652133911458`
`font_07_sfnt_off0001a02d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1A02D	2812 bytes
SHA-256: `5486a25c3a0d6894b1c224d4eb37387007069b5df2272479612d8d74faef4e5f`
`font_08_sfnt_off0001ac7f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1AC7F	6476 bytes
SHA-256: `a5701b69349cacbaa96002d862a8240938412b19a8045d267622dbd0d5ad85b8`
`font_09_sfnt_off0001bdbc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1BDBC	19976 bytes
SHA-256: `e7c9256631d5211b78c483dab6a1b8847545acc48f5acfd730911e1181d0df51`
`font_10_sfnt_off0001f6fb.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1F6FB	19624 bytes
SHA-256: `5b92b37a04a4ca2a9aac79dfc18c67e90dde235d49a61972a670e473a3d98874`
`font_11_sfnt_off00021823.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x21823	3284 bytes
SHA-256: `1f56e21bcd9cc3e63868e2b7289aa18ba23ae988e9ce57852200c2c80cc928ca`

Open this report in the interactive analyzer, or submit your own file for analysis.