PDF malware analysis — malicious · d0eb16ea27a9e35b

MALICIOUS

PDF

43.9 KB Created: 2020-08-24 01:47:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: f5e30de76edb095af35afc5c60c3b93d SHA-1: cc60297a53fc4af698fd7cd65d76af96c39583a9 SHA-256: d0eb16ea27a9e35b567eb8c722920c7ee15ea91e4afad6f25bae3b3c10b38020

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to translation apps and the malicious URL, suggesting a lure. The ML classifier strongly flagged this PDF as malicious, and the presence of a link farm further supports a malicious intent, likely for phishing or malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=english+to+arabic+translation+app
- http://fivesa.cynthiakurklis.com/uploads/1/3/0/9/130969042/7389615.pdf
- https://cdn.shopify.com/s/files/1/0437/3653/1095/files/10390615983.pdf
- https://cdn.shopify.com/s/files/1/0431/1629/8393/files/alyosha_the_pot.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lunugituvalu.pdf
- https://cdn.shopify.com/s/files/1/0434/3549/1490/files/30135813430.pdf
- https://cdn.shopify.com/s/files/1/0428/3600/0931/files/baixar_reader_adobe.pdf
- https://cdn.shopify.com/s/files/1/0430/7946/7170/files/kaputozajuv.pdf
- https://cdn.shopify.com/s/files/1/0434/4145/5261/files/zafofojuwubejigabodagad.pdf
- https://cdn.shopify.com/s/files/1/0428/0870/5187/files/pmp_flashcards_5th_edition.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006209.bin` `3859e47f609c12f7fbf976f0daca9c9cb3749c1a198b1e47464717c1ec862d77`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6209	5292 bytes
`font_01_sfnt_off000073f6.bin` `fde507d3e12ec33e68adf7e75fc7402ffd28b0db1492fb6dd1e3c49ab7b9519b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73F6	3120 bytes
`font_02_sfnt_off0000807b.bin` `1f4b1ed5e5b0a7ae4d9d2b616e6fcf4c8b822749480e4289a557f520fbc6498b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x807B	10096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.