PDF malware analysis — malicious · e64c75596cfd4109

MALICIOUS

PDF

72.9 KB Created: 2021-01-02 14:19:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 73463fcdabf3be3f49d64221ef4f6afd SHA-1: 75231803d515c8dce39f0c08ec4ff98f90809b1b SHA-256: e64c75596cfd4109533dd4b0a6388b8e47e0364f1ba0095a791e123569ebf00f

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ggtraff.ru'. This URL is the primary indicator of malicious intent, likely serving as a lure for phishing or to download further malicious content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ggtraff.ru/aws?utm_term=archbishop+williams+uniform
- https://cdn-cms.f-static.net/uploads/4419198/normal_5f9cccb3465a7.pdf
- https://cdn-cms.f-static.net/uploads/4408485/normal_5f9317de37953.pdf
- https://cdn-cms.f-static.net/uploads/4408172/normal_5fe80425501f5.pdf
- https://static.s123-cdn-static.com/uploads/4393362/normal_5fefb82cec99b.pdf
- https://cdn-cms.f-static.net/uploads/4387240/normal_5f8f46c5c1644.pdf
- https://cdn-cms.f-static.net/uploads/4393635/normal_5f920fa425078.pdf
- https://woxejisuwu.weebly.com/uploads/1/3/4/3/134322210/fadirifajex.pdf
- https://fejagirizow.weebly.com/uploads/1/3/4/5/134525681/sepusodujoxozali.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/xovekolamoxe/ligagexej.pdf
- https://uploads.strikinglycdn.com/files/9a9e4d78-71c4-4e9f-b5b0-370f97e73065/82975934124.pdf
- https://s3.amazonaws.com/tadovu/list_of_architects_in_delhi_ncr.pdf
- https://s3.amazonaws.com/juvetaso/ser_vs_estar_worksheet_answers.pdf
- https://s3.amazonaws.com/fewunadupop/pillars_of_eternity_damage_guide.pdf
- https://uploads.strikinglycdn.com/files/f54a951e-2666-4d4c-bbc9-348fc78daabd/fafavaxajipidawasi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000dd6d.bin` `d5c90f7066c5931990027ab6c47bfe489483696fe5c1c6c8b049034ce7e19f95`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDD6D	5476 bytes
`font_01_sfnt_off0000eff6.bin` `36f10b70bf2675a747f3c6f6a5e6cb27c6811a0fa6575c2a0834d438a74b5118`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEFF6	11664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.