PDF malware analysis — malicious · 0fbc71bc753118ec

MALICIOUS

PDF

82.4 KB Created: 2021-04-30 00:17:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 417051043525d0094ef4a38159d8e9d7 SHA-1: 7e333287118f017110927462a7ccadbf4fbd29f5 SHA-256: 0fbc71bc753118eca62a61dd1e3f48bd30e3bd0c2bcba0099b1f826f4b32e1e6

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many of which are to unknown or potentially malicious domains, suggesting a link farm or phishing attempt. The primary malicious URL identified is https://pelibifir.ru/strik?utm_term=what+does+don+mean+spanish, which is likely used to redirect users to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9990

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pelibifir.ru/strik?utm_term=what+does+don+mean+spanish
- https://padilokemim.weebly.com/uploads/1/3/1/3/131381900/vagoxebevunirojujew.pdf
- https://zarugekikivupa.weebly.com/uploads/1/3/4/4/134480545/f9fed8a1558.pdf
- https://poteluteko.weebly.com/uploads/1/3/1/1/131164474/mewuvo_tuvatiruwimupi_tegenuva.pdf
- https://jukosixosibi.weebly.com/uploads/1/3/1/8/131871462/vusadugesesezorupobe.pdf
- https://pukefigagarit.weebly.com/uploads/1/3/1/4/131406744/rufiran.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/7b135bec-b922-424e-86ce-7221473a2745/kidde_i4618_firex_hardwire_ionization_smoke_detector_with_battery_backup.pdf
- https://8d6920c1-aef5-45ed-b1a0-e693d63948fb.filesusr.com/ugd/0a593f_0d216b36f32948dfb3c7f4eefed36c0d.pdf?index=true
- https://13dbc848-c95e-4197-a439-3ae2050b6ee2.filesusr.com/ugd/46bbe5_dc21e845a0764954a12a9cf90d267dda.pdf?index=true
- https://uploads.strikinglycdn.com/files/567266ba-f17e-4f17-af8f-bb15febf493d/xowirajiloxib.pdf
- https://uploads.strikinglycdn.com/files/ca0e0bf1-40d4-473c-ae15-5c0c646ad976/formato_impuesto_sobre_nmina_chihuahua_2019.pdf
- https://uploads.strikinglycdn.com/files/066683cd-8aa3-48e1-a89d-1906a426228d/7_years_and_50_days_lyrics_deutsch.pdf
- https://uploads.strikinglycdn.com/files/1775f584-ecc5-428f-8a3b-8ae0d46d87e4/fire_and_blood_part_2.pdf
- https://s3.amazonaws.com/supefujoxopubu/pak_study_9th_class_chapter_2_in_urdu.pdf
- https://uploads.strikinglycdn.com/files/2b641712-0535-4e4f-bfc4-b124052f15a3/ravunesibovifuji.pdf
- https://e0eedba4-cf99-4c42-97f5-d3f9ae5832dd.filesusr.com/ugd/e36ea7_34fc4e369f3a41158991cb65a453e84d.pdf?index=true
- https://uploads.strikinglycdn.com/files/ba0c4af2-0add-497c-bd24-2cff69ab2a37/towenisaxonaz.pdf
- https://uploads.strikinglycdn.com/files/46958c50-17e5-4d08-8577-7b9c4a3e139f/fekikuzemeduxufibatuninuw.pdf
- https://uploads.strikinglycdn.com/files/05763200-bc9e-475f-8884-5aebb14e63c4/kuvujaxo.pdf
- https://uploads.strikinglycdn.com/files/0a7e9c64-7edd-48f7-a506-56008fda55f1/tapifebejapegaxum.pdf
- https://uploads.strikinglycdn.com/files/4d6e1902-6923-4195-b5b6-0b007d3de021/easy_way_to_learn_chinese_characters.pdf
- https://30c74dc1-c3f2-4e71-8253-1ec84f3b94e1.filesusr.com/ugd/b8c6fa_17679795dbc247258de7ca0195a5efe8.pdf?index=true
- https://uploads.strikinglycdn.com/files/3d53aadb-db84-4a4a-885c-77636f463b09/tokyo_ghoul_opening_song_season_3.pdf
- https://s3.amazonaws.com/fezenur/methanol_to_formic_acid_equation.pdf
- https://b6d28218-96ba-4f98-b9c1-0d78b4e6fe84.filesusr.com/ugd/47aa88_8c51db514c66434e8447196d35040a1b.pdf?index=true
- https://uploads.strikinglycdn.com/files/fa779a57-2888-49fa-8f41-4fa64388e77c/2002_buick_century_acceleration_problems.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f4e3.bin` `9ab6563f5b5ec48c1d0da22167ad14a897cdc07efc67ef0fdc9a3d2b79cbb6ec`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF4E3	4872 bytes
`font_01_sfnt_off00010550.bin` `6ba18bb1e2a8ab895be3c018686cefdb4d4f21370c042697dc10c3d57602e290`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10550	11932 bytes
`font_02_sfnt_off00012c83.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12C83	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.