PDF malware analysis — malicious · 05b2239b6632b81d

MALICIOUS

PDF

80.1 KB Created: 2021-05-30 04:02:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27

MD5: 3f3dfc8c827eb339f9c0dbb6ae50d0e9 SHA-1: 1c2a8b3d137e74f0a6ef2878a6da9bb3900aff74 SHA-256: 05b2239b6632b81dd275c00ce73f6bd0c004cebfb2ec456820f7f4c6c47921f2

134 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to disposable hosting services like Weebly, indicating a link farm or SEO manipulation tactic. The ML classifier strongly flagged this PDF as malicious. While no scripts were directly extracted, the presence of numerous external links suggests a potential for downloading further malicious content or redirecting users to phishing sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://botokaw.ru/123?utm_term=infragistics+reporting+tutorial PDF link annotation
- https://wosiwimobej.weebly.com/uploads/1/3/1/1/131164223/sabuguwapivu.pdfIn PDF document text
- https://bumibosawo.weebly.com/uploads/1/3/4/3/134374517/jijotaruvuwa.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4403823/normal_6067198d2844e.pdfIn PDF document text
- https://supimoxu.weebly.com/uploads/1/3/5/3/135319300/3431670.pdfIn PDF document text
- https://tidijutaxidekoz.weebly.com/uploads/1/3/4/5/134589823/ed43fc7958.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4455377/normal_600469122b208.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4415052/normal_602373bc5db19.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4381766/normal_5feeb4d1ea5d5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4422628/normal_6035eb74b538a.pdfIn PDF document text
- https://vizegibog.weebly.com/uploads/1/3/4/4/134458583/5078087.pdfIn PDF document text
- https://gukozorupo.weebly.com/uploads/1/3/1/4/131411088/pigifuke_ferurake_kovud_delajoxazix.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4415950/normal_6024882c8247e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4466135/normal_601e1f577030a.pdfIn PDF document text
- https://tijesefufejeje.weebly.com/uploads/1/3/4/8/134858706/3c68556cc52.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4368219/normal_5ff22a9a9cc6e.pdfIn PDF document text
- https://pemugaladesav.weebly.com/uploads/1/3/5/3/135307247/feziparujajutexefov.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/62c06ffa-18f5-4509-9d98-12a27096de7c/clases_de_guitarra_para_nios_en_merida_yucatan.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c34e21c4-d118-435f-a891-834732f87cc5/13132957871.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/877c0aaf-2324-4a9a-bb65-0e2e97c0f15a/zorisawusuworukalaj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1a09aa5b-d509-4e3a-916b-af6113912fe7/top_wilderness_survival_skills.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f63a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF63A	5120 bytes
SHA-256: `2fb3a8e84639b557c4814e818c1c89a927a28f5fd51812d6489bb25d9123248f`
`font_01_sfnt_off000107c1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x107C1	13540 bytes
SHA-256: `24c7a5a0672640d9b25d9401d25eb261dbe7a8bd3a667815b2ea13e19f15e82b`

Open this report in the interactive analyzer, or submit your own file for analysis.