PDF malware analysis — malicious · 11b71c31daa2f8b6

MALICIOUS

PDF

68.9 KB Created: 2020-12-05 12:12:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23

MD5: 2cf52369030e89bf3e2d88399a626513 SHA-1: ff590a6b8988fe0780b8a1815e1eb3530d8c59c6 SHA-256: 11b71c31daa2f8b619edfb4a3f1494926c68ccf3b554b4a01c6ea4e30f0523b0

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, many of which are hosted on disposable domains and appear to be part of a link farm designed to redirect users. One critical heuristic identified a brand-impersonation credential phishing lure for 'Target', pointing to a redirector URL. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH

Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://gebekogekikak.weebly.com/uploads/1/3/4/6/134694855/lilozapir.pdf.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffnew.ru/strik?utm_term=a+modest+proposal+chart+answers PDF link annotation
- https://cdn-cms.f-static.net/uploads/4463005/normal_5fc145d7db96a.pdfIn PDF document text
- https://gebekogekikak.weebly.com/uploads/1/3/4/6/134694855/lilozapir.pdfIn PDF document text
- https://sowameneritela.weebly.com/uploads/1/3/0/7/130775755/zejizov.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4409606/normal_5fa70627e7aa6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4379032/normal_5fa415cd2398b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4470226/normal_5fc6b5c549249.pdfIn PDF document text
- https://pavowojavujide.weebly.com/uploads/1/3/1/3/131398322/9677244.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4461483/normal_5fbf084fcdd5c.pdfIn PDF document text
- https://xumabilere.weebly.com/uploads/1/3/1/1/131163638/b60ce.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4385202/normal_5fa471b0e09d7.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/tetofamuxulil/sulezojafaxedifaf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ce2c5005-80e4-4779-a96d-7ec24e576ab4/naruto_two_nine_tails.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/49013009-843f-4ba8-bca3-90fb03c2e9dd/32637084068.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0597789d-008f-4d46-8b5b-ff276b8fa580/confidential_information_memorandum.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7c8fe577-0644-404b-8d24-6ddece6ef179/nixat.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/30d5feb2-f998-4515-9060-4dec5df5cf0d/45765981980.pdfIn PDF document text
- https://s3.amazonaws.com/tasufagijaremo/l_t_e_full_form.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d1af.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD1AF	5396 bytes
SHA-256: `1112023110e53e9598a282015b4292588ea82eeb87f5f327898132620a65973c`
`font_01_sfnt_off0000e3e7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE3E7	10212 bytes
SHA-256: `56471250bb05348aa0e4cea945673978dfe7b7e13f7c35d2c250db2f8600bc69`

Open this report in the interactive analyzer, or submit your own file for analysis.