PDF malware analysis — malicious · f88b057298ea027f

MALICIOUS

PDF

41.2 KB Created: 2020-10-17 04:47:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-04

MD5: 88046a592811e72cd4a60b8f2a080919 SHA-1: c628d6d5dfec07f76c571a63f34909aad2a35b92 SHA-256: f88b057298ea027f0cdac8f453185ac6d9148a8b33392331b0cfb4975e847ee6

194 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/123?keyword=4+stroke+petrol+engine+lab+manual In PDF document text
- https://cdn-cms.f-static.net/uploads/4365649/normal_5f8774751870f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4375352/normal_5f8a4c958c206.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367013/normal_5f883ef975a99.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367919/normal_5f87a602759a3.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365580/normal_5f8986d50ffcf.pdfIn PDF document text
- https://baletepo.weebly.com/uploads/1/3/0/7/130776023/8126c.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/382f18d3-9095-4622-b365-627c34784365/35155538430.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dec67c18-6126-4c30-ac89-446872113f7f/binanopujexoxisobewabir.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/406a1abd-00db-4b12-9c69-2d35afa3a473/bovedajijej.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dd587f8a-929e-4633-b98a-8185706d2e1f/vogijomejabedobavavi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5269b3f0-d176-4cb9-a964-94485062727c/45970950183.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c570ca8e-d01c-425d-aa3d-f791e87865a2/jifemuwokaronefer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/08818856-085f-4352-97bf-ef9a81c4558b/supiturudirepevinoka.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0501/2494/7621/files/hello_kitty_toy_bin.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0500/8277/5212/files/52214708289.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a10cd261-c41f-4094-a8da-470a977c1fd5/xuworipidaziwatigu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/742357ff-2692-4e3d-a17a-dd9020cf1f38/83277575911.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8e010dca-2b2f-4139-b408-7f7da5afb0a2/resogumojame.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b5ff3174-4fa8-4982-95de-888fa125bd48/93669866455.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/72b5223e-e67a-4ae7-8e2d-861382ddddd9/zagigurodevojufimatut.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006491.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6491	5336 bytes
SHA-256: `7b1ef5533e38a8d17f5fac9095b1d9ed4fdf0e501bb8ae3c3bbd8b6922f9ca36`
`font_01_sfnt_off000076a3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76A3	9724 bytes
SHA-256: `7a732c7904dc3682372fd7ad07a3be14dfcf450d50d38d4fc6bf7e45dec2fce5`

Open this report in the interactive analyzer, or submit your own file for analysis.