PDF malware analysis — malicious · fe9ed5f23d59c844

MALICIOUS

PDF

42.0 KB Created: 2020-09-20 15:43:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0ae12f3973ec0465c7d143f0cf540441 SHA-1: d7c301e94810420309ca6062b9cf9edc70cb4e0b SHA-256: fe9ed5f23d59c844771759ac5528d8c6010996aa079cf133c4c2a44eaa06911f

92 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The embedded URL 'https://ttraff.club/wix?keyword=deathly+hallows+pdf+weebly' is the primary indicator of this malicious redirection. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of a malicious URL is sufficient to classify the attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=deathly+hallows+pdf+weebly
- http://tawozeke.firsteatright.com/uploads/1/3/0/9/130969332/e77766695b57.pdf
- http://lusebeg.thejacquelineford.com/uploads/1/3/0/7/130740082/5fb3a30f853cd7.pdf
- https://fd96a331-6278-47e6-b757-98883a01604e.filesusr.com/ugd/fa32a6_f990398454df4f26a353c8ff43441a9c.pdf?index=true
- https://697dcc4d-58b0-4885-89a4-dcaa8c8f1f4a.filesusr.com/ugd/83b1b3_ccdaa99a62f84cfa92a034a08ada1a84.pdf?index=true
- https://d4557fce-cddc-44a8-857e-376c1c27e921.filesusr.com/ugd/cec570_9888726bb145473896e6a16a1595fa39.pdf?index=true
- https://cdn.shopify.com/s/files/1/0433/9027/1638/files/83537570951.pdf
- https://cdn.shopify.com/s/files/1/0449/8427/1016/files/novidivumuj.pdf
- https://039640b9-cffb-44d0-8c3c-d2eb0d111da0.filesusr.com/ugd/8d46c2_cfc93fe808264f6b8b3eee029e209b95.pdf?index=true
- https://74e4bafb-f1ab-4a70-9135-fe3bc5300ad9.filesusr.com/ugd/017c44_10de35832a4f4d51aa0fe6b43c4adb22.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005a13.bin` `cb6bd0fe547de3cbf4239e06f278a4b468d6585a058da60e22302e14a1a7bd36`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5A13	5000 bytes
`font_01_sfnt_off00006b43.bin` `5e6f6df12bc3deb15625cd5e08810946601a70b27de9ea65ee340850570ac31e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B43	10104 bytes
`font_02_sfnt_off00008dc8.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8DC8	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.