PDF malware analysis — malicious · 19f5c70c8c59b856

MALICIOUS

PDF

78.9 KB Created: 2021-03-22 13:06:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 873daf8d6d0d7c0a91cbcaf4504ef9e4 SHA-1: 7b74dc016271cd4517e7bb8d2509298479ec5cc9 SHA-256: 19f5c70c8c59b8562fd1eac7732a1772307540a7de1e312c31b57ad95e0d0c36

226 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a link farm with numerous external URLs pointing to disposable hosting. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests a common tactic to bypass security filters by instructing users to decrypt a password-protected archive, which likely contains the actual malicious payload. The embedded URLs and the nature of the link farm indicate a probable attempt to distribute malware or engage in phishing, aligning with the Spearphishing Attachment technique.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 7

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://midufefew.ru/award?keyword=mineral+beneficiation+process+pdf
- http://sigisuzuk.getenjoyment.net/mabede.pdf
- http://vegimawubukuwon.22web.org/55711434755.pdf
- https://static.s123-cdn-static.com/uploads/4470979/normal_5fc59b4861eec.pdf
- https://cdn-cms.f-static.net/uploads/4367005/normal_600aab8d5f67f.pdf
- http://begimewabifax.getenjoyment.net/68488514215.pdf
- http://tetupamino.mywebcommunity.org/samafoveguzis.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://badbb018-ab4e-499b-b788-960949b82e3d.filesusr.com/ugd/4f4c56_15ed67dd496b47c18c43cea3664b736a.pdf?index=true
- https://f1801c53-b3f5-4b94-a9b3-4bb8eb376a66.filesusr.com/ugd/af633f_fbf0314498d74ed5a3d124673f0689e9.pdf?index=true
- https://ad843f61-c544-48d7-8cfb-3c048b9edb46.filesusr.com/ugd/0dd9ed_e9838e7065654dbeaa74a876e72f8de8.pdf?index=true
- https://f8206d31-21c4-4aef-9da9-e4259ded718a.filesusr.com/ugd/c2bdac_fd28da0c17e24e03b5c480dd8dbe66e6.pdf?index=true
- https://77047a80-9f17-4504-a563-a097c25ca12e.filesusr.com/ugd/5c8b2f_dc4647c6e23340a5aa6056f5ca36d80a.pdf?index=true
- https://8b2103c5-345b-48fd-98e3-f19c90c4efd0.filesusr.com/ugd/0e2875_90fd1dabcdff4bab824e34e4fb083944.pdf?index=true
- http://rotufixijisadi.onlinewebshop.net/xopujinawipeb.pdf
- https://aee666f7-65d2-4416-8089-42e5bd85255d.filesusr.com/ugd/c4036c_6239fb726da74387bdb5554e16291f08.pdf?index=true
- http://kixixobaso.rf.gd/91038559333.pdf
- http://rakawuzigubu.rf.gd/8450009140.pdf
- https://0fc0baf9-b884-4fcd-968e-f93c0f938930.filesusr.com/ugd/68ec51_b62c2ed4940e4fb1a25e380677ab9be7.pdf?index=true
- https://58960a86-a3f4-42d8-866e-ee2cf32068b1.filesusr.com/ugd/1ad962_08ca44e12f9d428594c720d62d61e1cd.pdf?index=true
- http://gefuwaw.atwebpages.com/11800454351.pdf
- https://2a4c341d-9af7-4f89-b48a-1b926ad6ced7.filesusr.com/ugd/dd6616_55412405ca0f4a8cb2134e66f11a33fb.pdf?index=true
- https://1639490a-f715-481e-9fb1-af38d332269b.filesusr.com/ugd/a59130_50d7d5a6e56b494da9d68c1be51eddbb.pdf?index=true
- http://kudawugijamino.rf.gd/nptel_computer_architecture_and_organization.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f6c9.bin` `c57df22850eff350fa878b9876fc7fa63b61ad7fd3b0a6753ff466a83463508b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF6C9	5292 bytes
`font_01_sfnt_off000108de.bin` `730477743da2a59a019cc630e6472ce087f20f3aa3d8b0301d6c4b2a9f3f5b3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x108DE	11056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.