PDF malware analysis — malicious · ce1eaeee706123e3

MALICIOUS

PDF

37.5 KB Created: 2020-09-07 18:40:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: cf4fa672e00888c00eaab3900fcdd89c SHA-1: 85130f9df778772a91e05c8b60636bf1832d6b55 SHA-256: ce1eaeee706123e358d4f1bfdd1d45df9c7526b0f2bd1797ef15928acc8464fe

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass link farm, with one URL pointing to a known malicious redirector. The document body, though obfuscated, contains keywords related to network equipment and the malicious redirector URL. This suggests a phishing or scam attempt designed to lead users to malicious infrastructure.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=aruba-+2930f-+48g-+4sfp+firmware
- https://static.usrfiles.com/ugd/d2751c_dd891bc64c84415a98cad2e8d8e30a87.pdf
- https://static.usrfiles.com/ugd/538d67_aecf9f287b3c42c9bd8255035abb073a.pdf
- https://static.usrfiles.com/ugd/8c0e65_49c4e6db228b45619b5730f128c8d26a.pdf
- https://static.usrfiles.com/ugd/956c05_666b88f575234ceaa6f84f21c7380a52.pdf
- https://static.usrfiles.com/ugd/b8c837_4b3ccff3355c4b72882e361250503326.pdf
- https://static.usrfiles.com/ugd/9e14ca_15d73b95fb5242edb6e8fd41ca02bea0.pdf
- https://static.usrfiles.com/ugd/18122d_49752b91d3004eaba486e2eb3e91bd7e.pdf
- https://static.usrfiles.com/ugd/493135_9533925c639e4da3a5898163b575c095.pdf
- https://cdn.shopify.com/s/files/1/0432/6385/2708/files/49473920662.pdf
- https://cdn.shopify.com/s/files/1/0434/5200/6552/files/49488720390.pdf
- https://cdn.shopify.com/s/files/1/0437/1379/0106/files/journal_of_flood_risk_management.pdf
- https://cdn.shopify.com/s/files/1/0430/8788/8535/files/81823000417.pdf
- https://static.usrfiles.com/ugd/754d94_d429e64253f941079925fdd7b20562b7.pdf
- https://static.usrfiles.com/ugd/b54ff4_c3aa09bec82e4c40a49a73d479c7d8d4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004ac7.bin` `34b06472e9b23a6244093c19b5e62cbaa02bc796438ac732268c98b6c36801fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4AC7	6320 bytes
`font_01_sfnt_off00006044.bin` `30201874608fbd18449ae0e652182f4be06113e029baf461674bf03da5448267`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6044	12964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.