PDF malware analysis — malicious · 15a33e65d3529894

MALICIOUS

PDF

79.2 KB Created: 2021-05-25 15:58:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 495844c00a8d13685953d531241022ff SHA-1: 3a8c2f28262c64e5c1ebdd892ee73620e90e91a4 SHA-256: 15a33e65d3529894ae63011ab9578ff0f71d9503dcf3527445c04da43154957a

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The ClamAV detection and ML classifier flagging indicate malicious intent. The embedded URL and the primary external link suggest a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.7050

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://kuzutuzo.ru/strik?utm_term=tamil+typewriting+tutorial+pdf
- https://cdn-cms.f-static.net/uploads/4496826/normal_5fd68a17053a5.pdf
- https://rolorizumi.weebly.com/uploads/1/3/4/3/134316308/d87af3d8226b.pdf
- https://gawajofanobovap.weebly.com/uploads/1/3/5/2/135296378/bc23c21105c1f.pdf
- https://cdn-cms.f-static.net/uploads/4476274/normal_605c495f82223.pdf
- https://cdn-cms.f-static.net/uploads/4366397/normal_605a7cf40ddaf.pdf
- https://cdn-cms.f-static.net/uploads/4446174/normal_601bff247e0bd.pdf
- https://cdn-cms.f-static.net/uploads/4460476/normal_603fb06d8c4e6.pdf
- https://static.s123-cdn-static.com/uploads/4469359/normal_5feb43123e783.pdf
- https://cdn-cms.f-static.net/uploads/4464083/normal_601f1c04a6109.pdf
- https://cdn-cms.f-static.net/uploads/4412159/normal_6027d57deb4e2.pdf
- http://fedorahosted.org/lohit
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/b717596f-29b4-47cf-8493-03ef462685be/87062812049.pdf
- https://uploads.strikinglycdn.com/files/608b036b-a342-408a-b681-7fceab59559a/experience_and_education_citation.pdf
- https://uploads.strikinglycdn.com/files/5071cc00-f33b-4072-89fc-6583b27d0b87/53652304098.pdf
- https://uploads.strikinglycdn.com/files/57f3c80b-5926-4fad-b4aa-d79164e46d4a/68087430152.pdf
- https://uploads.strikinglycdn.com/files/5a9f639f-5742-462d-8fdb-3a258e061ba2/snare_rudiments.pdf
- https://uploads.strikinglycdn.com/files/c164c59f-fead-43f3-a186-b058a482e4dd/atlas_lathe_for_sale.pdf
- https://uploads.strikinglycdn.com/files/6a2778b9-55b5-46ba-a18b-139b1753569b/94328522614.pdf
- https://uploads.strikinglycdn.com/files/ffb673a1-061f-4b8f-a925-63d76a2e91a5/tokalumudikusex.pdf
- https://uploads.strikinglycdn.com/files/8dc4aaac-5336-4d91-998e-360cfb7816a2/nojugobiwevadeteridutel.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_003_off0000fa0e.bin` `3a135c936007397d9bb0fc9bbe8f9a021bc9141c057f70a1996c1a681a72d7c6`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xFA0E	27340 bytes
`font_00_sfnt_off0000e7ec.bin` `9b0be714950d2e6f0a699612da01423b6b9633bc26fcebeef06eb8eb9317b85f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE7EC	5328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.