PDF malware analysis — malicious · e6fd4f5fb97526c9

MALICIOUS

PDF

40.5 KB Created: 2020-11-04 03:32:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7d42d5d12754573914866c85fa9eefb2 SHA-1: 96d26890cce9a95c1ddc70b86e1ee6fb4509af81 SHA-256: e6fd4f5fb97526c9a38a859714ab6f2ba61acdde173a8c85a13b733c03f6a728

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a redirector that, when followed, leads to a download for 'lucky patcher hack apk'. This indicates a social engineering attempt to trick users into downloading potentially unwanted software. The ML classifier strongly flagged this PDF as malicious, and the presence of a malicious redirector link further supports this assessment.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/123?keyword=lucky+patcher+hack+apk
- https://xokebewogaxuwu.weebly.com/uploads/1/3/4/5/134588239/bojurok.pdf
- https://xanugobolenaz.weebly.com/uploads/1/3/4/3/134371028/1881431.pdf
- https://fidurelofomus.weebly.com/uploads/1/3/0/7/130740547/mapuko_vufuva_rosuvuro.pdf
- https://nokiziwevapof.weebly.com/uploads/1/3/4/5/134507241/gativuwelojagusow.pdf
- https://tavumake.weebly.com/uploads/1/3/2/7/132740551/5441935.pdf
- https://javodamujuwevef.weebly.com/uploads/1/3/4/4/134446411/xurebadaxugobu.pdf
- https://cdn-cms.f-static.net/uploads/4379234/normal_5fa0d14da9a56.pdf
- https://mumamelif.weebly.com/uploads/1/3/4/4/134464597/laweguzemosibomolaf.pdf
- https://xetutinafo.weebly.com/uploads/1/3/0/7/130775845/pekesadumukubiberu.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/ruzumeb/elementary_school_supply_list_for_4th_grade.pdf
- https://s3.amazonaws.com/rotowan/digital_electronics_multiple_choice_questions_with_answers.pdf
- https://uploads.strikinglycdn.com/files/e0b68fcf-096a-40a1-91ab-39d54e782503/11505589875.pdf
- https://s3.amazonaws.com/voropa/chronicles_of_darkness_2nd_edition.pdf
- https://s3.amazonaws.com/susopuzupure/sasajite.pdf
- https://uploads.strikinglycdn.com/files/f91a9f35-c57d-4841-ab90-c92b8b08c650/vampire_diaries_season_6_watch_online_123movies.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006013.bin` `5d81d10d57a6e3f00ba5319470a9aced9a9c247f3d28a6f41afdd8dea5ccb645`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6013	4916 bytes
`font_01_sfnt_off000070dc.bin` `a8acb17097b33751896447b67fb36e529999fca36b4dd930dddc7edc2c9a7b88`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x70DC	10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.