PDF malware analysis — malicious · 0dedc5649226c562

MALICIOUS

PDF

81.6 KB Created: 2021-06-06 23:13:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24

MD5: fd20311c2bb5136451defd056f3736d5 SHA-1: a5e39da415bd65730978d75d2ae1ed270c4510df SHA-256: 0dedc5649226c562ef0da02b1a9394236e42ddb5ac51f781fda7519d59ef3df6

184 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains a large number of external links, identified as a link farm. The primary URL, 'https://wastran.ru/pbw?utm_term=ms+excel+questions+and+answers+pdf+in+hindi+download', suggests a lure related to downloading specific content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or SEO spam.

Machine Learning

Nyx PDF Classifier malicious score 0.9036

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://wastran.ru/pbw?utm_term=ms+excel+questions+and+answers+pdf+in+hindi+download PDF link annotation
- https://dujedagopodiku.weebly.com/uploads/1/3/4/5/134580966/928ec3.pdfIn PDF document text
- https://meduxivanudi.weebly.com/uploads/1/3/4/8/134871921/1561cdbc8d1b.pdfIn PDF document text
- https://detalejutapebis.weebly.com/uploads/1/3/4/6/134610814/webebede_bugebanabomogi.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/18addd6e-dbdb-4072-a148-2bfb8e4142e8/17917550774.pdfIn PDF document text
- http://gozuwef.pbworks.com/w/file/fetch/144520674/manual_brady_bmp21_plus_portugues.pdfIn PDF document text
- http://gufabewa.pbworks.com/f/list_of_endangered_animals_in_india_with_pictures.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d401e999-ea21-4654-9d6d-404387bbf6bd/gimasora.pdfIn PDF document text
- http://paderukut.pbworks.com/w/file/fetch/144468726/pokemon_ruby_adventures_gba_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/56caf038-5d56-4c0e-ab06-a56156dd181f/rebajowip.pdfIn PDF document text
- http://fokopaviwu.pbworks.com/f/79951864950.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f5d099e9-0f76-449d-b02d-6920091fcda7/84149367412.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/603802f2-7b14-426c-9778-ff835f89cc4f/tiboxesijemovosemesewatu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ad0f20fa-a36d-4872-aadf-d74879a5fbef/who_are_the_characters_in_the_breadwinner.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f512435a-1726-4877-82a1-8f4342e57091/xifapejozumi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/db6e7126-fa00-4cb4-a6a4-fb47e3ec17fc/what_is_the_best_countertop_microwave_to_buy.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/178ae41d-ffc0-4d18-bd0a-3980db2bd03d/95663448242.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/340e2b13-adfa-41c9-8fc1-4c9fbd75e1a1/jexatilamekonemosaxiv.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/481ae079-4d27-40bf-8873-4be5110512b8/what_does_the_f2_code_mean_on_my_ge_oven.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9aaef72a-bca5-4058-9ffe-4b6480c15093/41c4220a_compatible_chamberlain_craftsman_liftmaster_garage_door_opener_gear_kit.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/29d0f265-4b3c-4d32-92ed-fe192022f96c/gemelemojubadukarek.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9cd7fd1b-7428-4284-a521-70376fe717c7/99651852191.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/43ca5d06-36af-4fe7-8710-42af3cd9cab6/8767788044.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/77cfe04b-39e1-4a83-8cf0-30f7379b80f8/13107211624.pdfIn PDF document text
- http://natutaliva.pbworks.com/w/file/fetch/144539076/whats_the_difference_between_tendonitis_and_tendonosis.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6591a8f6-e10b-49a7-9342-965da76ff8f3/aaa_defensive_driving_course_test_answers.pdfIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010379.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10379	5536 bytes
SHA-256: `b87fc318daa8c85a55bef5004cabe45cb0610e982633dcfe12d98854d05faaa9`
`font_01_sfnt_off00011665.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11665	10788 bytes
SHA-256: `686cb8f9dfbd719ecea4bb9534e3b61a0e2771c1839cf1bab0135a3e705986f3`

Open this report in the interactive analyzer, or submit your own file for analysis.