PDF malware analysis — malicious · e7ab315fa2818935

MALICIOUS

PDF

34.5 KB Created: 2020-09-02 18:19:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15

MD5: a73d6f7f5e16eefdc9d98623fbdc3ca7 SHA-1: de4bbd3d032510e9f0fdadc4106309991aea1a4e SHA-256: e7ab315fa28189350a49a3721bcc9efe0b5b1ae9f65fe4fe37ca47ecf60b8bf1

194 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/pify?keyword=chinkara+kinnaram+flute+bgm In PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://static.usrfiles.com/ugd/b8c837_f6ba4b36a0154c989d0c4a13047bd913.pdfIn PDF document text
- https://static.usrfiles.com/ugd/e2b09b_68d4fac0c6414fdca74fbfae5bc474f0.pdfIn PDF document text
- https://static.usrfiles.com/ugd/a43ec6_7e9b8f7fbd054345a936cd851f0369c2.pdfIn PDF document text
- https://static.usrfiles.com/ugd/3e9e83_fb31b3b93eda4932a15c7542392584c9.pdfIn PDF document text
- https://static.usrfiles.com/ugd/be19e1_d96ac83ec5244265b430f59535af7fdb.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0457/3164/3558/files/codex_gigas_full_english_translation.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0440/1764/7766/files/katojo.pdfIn PDF document text
- https://static.usrfiles.com/ugd/45fd81_1c2bfdf8c14f4192b30d3ee7b2f9ceee.pdfIn PDF document text
- https://static.usrfiles.com/ugd/b8c837_896e6c8cd91a4d209ff8a5ee2591cd35.pdfIn PDF document text
- https://static.usrfiles.com/ugd/b8c837_912569e4c4bb43e8b098a71aeca5d8d9.pdfIn PDF document text
- https://static.usrfiles.com/ugd/9b5f63_9b2006d4186649558caaf71349981f89.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0431/6866/1660/files/vevegesefi.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0430/2172/9955/files/berexorutugimu.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0427/9340/2534/files/72953217980.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0435/7678/7103/files/40425795056.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0432/2318/7614/files/nabujuxovovebuxoveraz.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000049a2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x49A2	5112 bytes
SHA-256: `87234c84945cf73ad6d14ea976d46b372af653b9676818120246cf5cfc3ddf7a`
`font_01_sfnt_off00005ae1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5AE1	9944 bytes
SHA-256: `64c0350e4ad0c8b6866d64427ccf91193ba3fa430e8241b62d2f0b1d0687adc5`

Open this report in the interactive analyzer, or submit your own file for analysis.