PDF malware analysis — malicious · 157ceb362c964283

MALICIOUS

PDF

91.8 KB Created: 2021-03-20 19:19:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: f8c6bc8140caacdbfeed9c8bc28f8e26 SHA-1: 6823a932f4f91a13a7f7f5dd885539a716d95bd1 SHA-256: 157ceb362c964283c909b033bd83432a5d67dccd28f41e22980d0d5bed99e312

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and an ML classifier, with ClamAV detecting it as Pdf.Phishing.Trojan. The file contains a large number of external links, many pointing to disposable domains, suggesting a link farm or phishing campaign. The primary malicious URL identified is https://vilenefex.ru/aws?utm_term=list+of+black+gospel+praise+and+worship+songs+2018.

Machine Learning

Nyx PDF Classifier malicious score 0.9970

Heuristics 6

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://vilenefex.ru/aws?utm_term=list+of+black+gospel+praise+and+worship+songs+2018
- https://cdn.sqhk.co/tifobebe/io7GXiM/79982174709.pdf
- http://tk-time.site/48327806380qt0ve.pdf
- https://cdn.sqhk.co/gowamojon/gfaidWS/87775224845.pdf
- http://segway-wheelchair.ru/69425981267lmzue.pdf
- http://savadaqwe.space/sumarazuwomibijasewwpdd.pdf
- http://winoorama.space/fewomesenimpkk.pdf
- https://cdn.sqhk.co/wazikunal/jbzhahe/fesuwug.pdf
- https://cdn.sqhk.co/fumodolanes/jfRjcIZ/apple_music_download_free_apk.pdf
- http://goproonly.com/81665838714wzro4.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://f815f12b-539f-4060-8ed9-abd2caada31b.filesusr.com/ugd/ceb2e8_c134f34d3a7f452c8a8d9cd8e878fb03.pdf?index=true
- https://b3d988c2-7a7d-4c3c-9141-221b6550481e.filesusr.com/ugd/9dda13_f6e91993574d43fa88666f3f602193a9.pdf?index=true
- https://40ba1f7a-6e91-49bb-bbb8-dfbb40a2bc60.filesusr.com/ugd/22bf55_f20a398432fd41c5b78710836bb91fac.pdf?index=true
- https://f43304fd-85e4-489a-8612-81977e01be4a.filesusr.com/ugd/b6f504_3736345bceea4ab7bfa3248241b7d7ee.pdf?index=true
- https://a44a9d9e-3ce9-422e-9b5d-83ef2d4925cb.filesusr.com/ugd/3234e9_1108395d7bbe4c56a348fc8c5509ea35.pdf?index=true
- https://91c7bc9f-df77-4dbd-ae51-8bcf521f3e61.filesusr.com/ugd/1df9ea_cd63673eedd444b99512741ecdcd0088.pdf?index=true
- https://uploads.strikinglycdn.com/files/5e1887be-79d1-499b-89f0-7e696c09b86e/19190116338.pdf
- https://uploads.strikinglycdn.com/files/32cb53ec-e2e5-4eba-89aa-32e2de8e6bbe/88464987043.pdf
- https://uploads.strikinglycdn.com/files/7b3e38d7-5864-497d-aa6b-6c2e3a10d45d/is_dell_optiplex_780_good_for_gaming.pdf
- https://11f44e1d-c86f-4be6-baa1-90970e7c24f5.filesusr.com/ugd/a298ce_3b03acc75ecc4946a7a773e10814f2ce.pdf?index=true
- https://6b21c484-99f8-4e97-b77a-b77c054bfe5d.filesusr.com/ugd/f139d4_2169e598e4a0407cbd2f7808d88d801f.pdf?index=true
- https://d12e84a0-9808-45da-82c6-613dfe540d1b.filesusr.com/ugd/dc8a8e_cef2a28ef92d4ea09e0258cf6b1e3d50.pdf?index=true
- https://3b87a2b8-2d13-4e6d-acc4-cbba57692a59.filesusr.com/ugd/50988c_fd6f4e8854054c1ebc1220b4f1f87950.pdf?index=true
- https://41be308f-8a64-4dec-8b30-4937605be974.filesusr.com/ugd/f042fe_3b6713c9d2564ee1b67faa91cf9df329.pdf?index=true
- https://cdd249b8-77b1-4a94-b024-8995efe4d959.filesusr.com/ugd/d394ff_4859dddc727f418396264155defe8b92.pdf?index=true
- https://uploads.strikinglycdn.com/files/73525fdd-afd4-44d4-9d7f-d3658fd1b80d/37100484806.pdf
- https://c7972686-9310-4d97-8ac3-15e828887225.filesusr.com/ugd/8a419d_ae0b8286ec644ba78f72f2445f7f8d29.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00012335.bin` `e587891f75b2442b36de18282e28d904b9ff127903a9bb497f0337f3edb83861`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12335	6172 bytes
`font_01_sfnt_off00013848.bin` `ab18ad049575ec7ac3bb089da58899dc8815597cb657afa480f5fc9e65c7bb3b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13848	11504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.