PDF malware analysis — malicious · 193189f097bb989d

MALICIOUS

PDF

84.9 KB Created: 2021-03-29 08:59:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6da5d471c198c30e08bf15cb7162f995 SHA-1: edac77db9ccbe18bae867d323eec6d94efa188b8 SHA-256: 193189f097bb989d8dfe661e4d72310e571d96c3a0b080644d716904e79a08fa

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, contains references to "Cambridge checkpoint maths past papers", indicating a lure to attract users to potentially malicious URLs.

Machine Learning

Nyx PDF Classifier malicious score 0.9985

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://golowaki.ru/123?utm_term=cambridge+checkpoint+maths+past+papers
- https://cdn.sqhk.co/bitenutugiw/fEieYgg/women_s_remix_road_shoes_review.pdf
- https://cdn.sqhk.co/guwaloxipete/pjhRicB/12032907371.pdf
- https://boxoxezerutevok.weebly.com/uploads/1/3/4/3/134317212/6992432.pdf
- https://cdn.sqhk.co/jevikepuja/fBiihfB/67565643674.pdf
- https://forexegazujolo.weebly.com/uploads/1/3/4/1/134108883/931efc8ce.pdf
- http://pukebebizadolu.mypressonline.com/list_of_wh_family_words.pdf
- https://cdn.sqhk.co/vuzefoveniri/jFjf5VU/business_bookkeeping_spreadsheet_free.pdf
- https://somirurawepaf.weebly.com/uploads/1/3/1/3/131381963/4e24e3f746d.pdf
- http://vuzetasavuxoso.mygamesonline.org/asus_m5a97_plus_drivers.pdf
- https://cdn.sqhk.co/libuzewis/cImjcJ3/69212881723.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/7b3d05f7-17d6-4d92-8d93-f91cc0725a2f/iwb_holster_for_taurus_pt140_millennium_pro.pdf
- https://uploads.strikinglycdn.com/files/931582c4-b2df-41ba-a41b-0bb77c8a85d8/britax_marathon_expiration_date_canada.pdf
- https://uploads.strikinglycdn.com/files/e1b1e8cc-d91d-4ec2-839d-626293f6e4ae/dusajamomen.pdf
- https://uploads.strikinglycdn.com/files/7f33604d-5083-4fc9-a783-c1745bf5bd8e/lanazijudaroxamulopora.pdf
- https://uploads.strikinglycdn.com/files/801e124d-bcdb-4617-8054-402f231ca207/jawaxozukadewejirivapesi.pdf
- https://uploads.strikinglycdn.com/files/6fd808cf-6e7f-426a-b04b-c1ccc2b4a5a1/words_to_describe_clouds_in_the_sky.pdf
- https://uploads.strikinglycdn.com/files/d57bba63-4a73-4015-8a59-d6b1659dc497/honeywell_6160v_user_manual.pdf
- https://uploads.strikinglycdn.com/files/63eb80bd-8e11-4171-9199-5952973e05e8/debowozarumoxefure.pdf
- https://uploads.strikinglycdn.com/files/23cf7de9-4d5e-4d81-bbc8-2e4934141b61/bond_markets_analysis_and_strategies_9th_edition_ebook.pdf
- https://uploads.strikinglycdn.com/files/5ed00040-0881-4043-8e99-d71892a0b40d/42441960031.pdf
- https://uploads.strikinglycdn.com/files/b80b320f-e768-48a9-803c-9f22735b4037/38933637575.pdf
- https://uploads.strikinglycdn.com/files/a0814dd1-ee8d-4e34-9f1c-b945cb91210f/how_to_reprogram_bose_remote.pdf
- https://uploads.strikinglycdn.com/files/2bccda1b-a42e-428c-b184-e7437b577154/81825300275.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e6ea.bin` `331c73b0f4d9c773e3b17f5bbdbc81bd4adc6d7ec21b24a7591a4a60bfa0d84f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE6EA	5468 bytes
`font_01_sfnt_off0000f957.bin` `a951f0e3e4009d073a4d9fe9490f171573aa6307959d18d2233ff924cf5bd106`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF957	11128 bytes
`font_02_sfnt_off00011f75.bin` `4ebec91b25fd13be4764119a7bf458a2d76051484c263fb3dfb333fa193aff7f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11F75	16388 bytes
`font_03_sfnt_off000135a3.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x135A3	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.