PDF malware analysis — malicious · 0ca0229c36cc8f8c

MALICIOUS

PDF

115.8 KB Created: 2021-06-06 14:10:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 09c99fc00f1c50a02632e6bc7fa7a3b5 SHA-1: 8924ebf836ff52d1ebe14def7fe0ca05abe1b72f SHA-256: 0ca0229c36cc8f8c36bf67f855c49d6ab69483fbc1621bf9dc25d7a7bcae34e7

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics as malicious, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. It contains a large number of external links, suggesting a link farm or redirection mechanism. The primary URL, 'https://jacksth.ru/wb?keyword=legend%20by%20marie%20lu%20full%20movie', indicates a lure to a website disguised as a search result for a book, likely to distribute further malware or engage in phishing. No scripts were extracted, but the PDF structure and link farm behavior are indicative of malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9985

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jacksth.ru/wb?keyword=legend%20by%20marie%20lu%20full%20movie
- https://cdn-cms.f-static.net/uploads/4458616/normal_5fe8c8d94dc65.pdf
- https://static.s123-cdn-static.com/uploads/4369307/normal_5fdfd6080c064.pdf
- https://kixujededewi.weebly.com/uploads/1/3/0/8/130814479/9983342.pdf
- https://rasaputale.weebly.com/uploads/1/3/5/3/135323831/nekevug.pdf
- https://cdn-cms.f-static.net/uploads/4445544/normal_606d67bccdbb3.pdf
- https://cdn-cms.f-static.net/uploads/4406170/normal_604e1eb91f355.pdf
- https://zalirusupu.weebly.com/uploads/1/3/4/5/134516706/ad993d.pdf
- https://static.s123-cdn-static.com/uploads/4403817/normal_5fdddf8cc919d.pdf
- https://sejoxamopizava.weebly.com/uploads/1/3/1/8/131858661/570aa7a034cb6f8.pdf
- https://cdn-cms.f-static.net/uploads/4404313/normal_606984051095c.pdf
- https://cdn-cms.f-static.net/uploads/4460970/normal_606226afbf7f9.pdf
- https://static.s123-cdn-static.com/uploads/4463306/normal_5fe4c43d81eff.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/30972884-b7af-4dab-b723-57fec4e9ed32/advantages_of_payback_period.pdf
- https://uploads.strikinglycdn.com/files/2cd47a80-269e-4309-8c5e-ee38cf583c71/un_grito_desesperado_carlos_cuauhtemoc_sanchez_resumen.pdf
- https://uploads.strikinglycdn.com/files/6947c3fd-9d04-4cd7-87a1-6062e61bb75c/piniriruwufe.pdf
- https://uploads.strikinglycdn.com/files/f33826d0-343c-4d79-9cfc-81891022b1f0/how_to_make_nib_cone_for_tanjore_painting.pdf
- https://uploads.strikinglycdn.com/files/51622d3e-cdde-4cfe-a23d-0bb0f168a30b/3154875307.pdf
- https://uploads.strikinglycdn.com/files/13f90747-2f6c-4f04-a548-2a7a5dcb5118/dragon_ball_z_game_for_psp_emulator_android.pdf
- https://uploads.strikinglycdn.com/files/7e85eb49-1e25-4ac6-b7b2-3a7f28af844a/cabelas_dehydrator_fruit_leather_trays.pdf
- https://uploads.strikinglycdn.com/files/ca35eade-61f2-494f-bb0a-9dd9880927e7/cazadores_de_sombras.pdf
- https://uploads.strikinglycdn.com/files/7636008a-ae4c-49a2-afd0-6214b2126bcf/83191631504.pdf
- https://uploads.strikinglycdn.com/files/86e4ab04-eebe-4a46-9cf2-fcf083a2f4ac/nuzotija.pdf
- https://uploads.strikinglycdn.com/files/0dff8adc-bfd2-4f8d-bff1-51a99eac694c/what_are_the_examples_of_structured_physical_activity.pdf
- https://uploads.strikinglycdn.com/files/2873bc89-b65f-4aa0-8ec5-7692350c4de3/rumanax.pdf
- https://uploads.strikinglycdn.com/files/c4d7b62a-8778-4be9-9117-9cf522532530/wagikopupubipipepedusaxa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00016a28.bin` `82544c2376dd11c7e04106bd0594579d0b6d9b3b50f9e4714877ca8744821344`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16A28	5292 bytes
`font_01_sfnt_off00017c1d.bin` `03621652d10fb600abcbe8c31ed6680bc298fb16a6360f8de22481a905398700`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17C1D	2944 bytes
`font_02_sfnt_off00018623.bin` `79a0f642edecd83a991330ad57ed821a34c3be20d90abda58eb01857db77996a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x18623	11068 bytes
`font_03_sfnt_off0001ac37.bin` `cd7e1fe9b6c9e44366a324800f90d9693e1a4099f6d1fdc4d6c739daa9aa445b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1AC37	16344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.