PDF malware analysis — malicious · 000850dab0ed3925

MALICIOUS

PDF

65.4 KB Created: 2021-03-19 22:35:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 20ee5d6aa5023035637496eca2020577 SHA-1: af9c4873c31a68efc0eac9d04a51ec2fdfa971af SHA-256: 000850dab0ed39257c00cf66672cac6f2210b064a7e2c5a7f9a3be64af22aa9e

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or SEO manipulation tactic. One of the primary external URLs is https://baarspo.ru/award?keyword=12th+zoology+practical+book+tamil+medium+pdf. While no scripts were explicitly extracted, the presence of embedded URLs and the ML_NYX_PDF_MALICIOUS heuristic indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.8471

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://baarspo.ru/award?keyword=12th+zoology+practical+book+tamil+medium+pdf
- https://cdn-cms.f-static.net/uploads/4479688/normal_603a7ec67cd9b.pdf
- https://lugapageragije.weebly.com/uploads/1/3/4/6/134617753/netogiv.pdf
- https://cdn-cms.f-static.net/uploads/4416513/normal_6012eac7216de.pdf
- https://static.s123-cdn-static.com/uploads/4459629/normal_6008b5fe36901.pdf
- http://ionatr.fun/74273180651a5lcj.pdf
- https://jezinuva.weebly.com/uploads/1/3/4/8/134869759/3dac6e0533f.pdf
- https://cdn-cms.f-static.net/uploads/4426957/normal_6029acf472441.pdf
- http://profmaster74.ru/31488952485t7rme.pdf
- https://cdn-cms.f-static.net/uploads/4391326/normal_601080039ab33.pdf
- https://static.s123-cdn-static.com/uploads/4426957/normal_5fdfde781e486.pdf
- https://static.s123-cdn-static.com/uploads/4375894/normal_5feea49cf1939.pdf
- http://hookup666.site/pakubunirijexuradelujaxzg00u.pdf
- https://cdn-cms.f-static.net/uploads/4449974/normal_603a52d710aad.pdf
- https://cdn-cms.f-static.net/uploads/4499651/normal_604a81dc5daf7.pdf
- http://devgm.design/66070948824tpoib.pdf
- http://gijaziveved.iblogger.org/java_numberformat_currency_negative.pdf
- https://cdn-cms.f-static.net/uploads/4485714/normal_6028779868636.pdf
- https://defelidiko.weebly.com/uploads/1/3/1/0/131070982/f69e9648.pdf
- https://static.s123-cdn-static.com/uploads/4453914/normal_600498aee330a.pdf
- https://static.s123-cdn-static.com/uploads/4451549/normal_5fe19f6e3437b.pdf
- https://cdn-cms.f-static.net/uploads/4480387/normal_6042f3a8a790c.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://nuxizutize.rf.gd/bidadari_tak_bersayap_free.pdf
- http://fulebudizopado.rf.gd/10980864475.pdf
- http://nopilire.rf.gd/buerger_s_exercise.pdf
- http://nosunep.epizy.com/7584368262.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f175.bin` `451ed9811f689c4f560a259bcca86e77eedf2eebd2567a1029abb581ab6119c4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF175	5836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.