PDF malware analysis — malicious · ce9ac8cb247551a5

MALICIOUS

PDF

66.3 KB Created: 2020-11-11 21:36:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4a58dce20c2a5983f373728a75f09191 SHA-1: ed62eae7a3a25b696ed0069094d7efffcf5047c1 SHA-256: ce9ac8cb247551a51f30ea8fd26d9eb6a14e656508dc71fbe9a43a8cffc5ae77

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that points to a known malicious redirector. The ML classifier and ClamAV detection strongly indicate malicious intent. The primary attack vector appears to be directing the user to a malicious site, likely for phishing or to download a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ggtraff.ru/123?utm_term=beneath+the+american+renaissance+pdf
- https://zufesuvagudinaf.weebly.com/uploads/1/3/4/3/134321689/9464902.pdf
- https://cdn-cms.f-static.net/uploads/4377115/normal_5f9421e298e10.pdf
- https://senamevab.weebly.com/uploads/1/3/4/6/134689233/durikirebubezi-bezukamik-vimexororudog.pdf
- https://cdn-cms.f-static.net/uploads/4412396/normal_5f94815f5500e.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/327c9c77-1c9d-48f2-8c4f-2dac2985a562/83755057003.pdf
- https://s3.amazonaws.com/wewuxuviwar/hedonism_download.pdf
- https://s3.amazonaws.com/jiwisigetizoxif/jodubalo.pdf
- https://s3.amazonaws.com/kabisebax/mozapazojexibik.pdf
- https://uploads.strikinglycdn.com/files/13e5fa40-55b6-43b3-aa37-93fff89b9d41/dutozinidulago.pdf
- https://uploads.strikinglycdn.com/files/1210e9e1-8835-4056-b183-65d1ab71002e/21575991968.pdf
- https://uploads.strikinglycdn.com/files/55de55c6-e186-47b4-aa2b-60602f145e42/parrot_car_stereo.pdf
- https://uploads.strikinglycdn.com/files/10e09006-c832-4c2e-9f52-3ca83120d57e/25850763962.pdf
- https://s3.amazonaws.com/winumigutam/nupirimowazujanora.pdf
- https://s3.amazonaws.com/vabedafozo/49832687536.pdf
- https://s3.amazonaws.com/suzeduselu/8750898209.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c727.bin` `657406e998bf2416db30e35dd36077f08c1f9f236a07464340436b02db0b68cf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC727	5412 bytes
`font_01_sfnt_off0000d964.bin` `ec7136cd5c3213e707bce4d03dc0d49153aec1d02a13c44ebecef9f7ff5a824a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD964	10196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.