PDF malware analysis — malicious · 1f0bc58c8a3eda12

MALICIOUS

PDF

127.8 KB Created: 2021-04-07 23:23:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31

MD5: a95b38fe847a1db161481390e8fb1309 SHA-1: e88e9e14af8b6f7f762cbd216474aaf59498a8fc SHA-256: 1f0bc58c8a3eda12cb42f703161d72994694aa0dc5d8d64e5039244833d5bde8

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous external links, including a large number flagged as a 'PDF_SEO_LINK_FARM'. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic suggests a lure to download content. ClamAV detection and ML classification confirm maliciousness, indicating the document is likely a phishing or malware distribution vehicle.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ponafet.ru/123?utm_term=pop+art+studio+pro+2.+5+apk PDF link annotation
- https://cdn.sqhk.co/mevazasid/qmoibij/60340663850.pdfIn PDF document text
- http://xujadawowupu.scienceontheweb.net/tezaseduzolaxu.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4496811/normal_600a4ab55f44e.pdfIn PDF document text
- https://cdn.sqhk.co/xaselavub/jjfrjju/41266332318.pdfIn PDF document text
- https://pafuxasakilufa.weebly.com/uploads/1/3/5/3/135327400/turodeduru.pdfIn PDF document text
- http://winovigamaj.mygamesonline.org/beatspot_book.pdfIn PDF document text
- https://fokifukamanur.weebly.com/uploads/1/3/0/8/130874497/tuvutilifiwana.pdfIn PDF document text
- https://jerexibim.weebly.com/uploads/1/3/4/6/134654770/7762421.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369901/normal_604ab9484ffe8.pdfIn PDF document text
- https://cdn.sqhk.co/tojemapimibo/vGUt7gg/limexajave.pdfIn PDF document text
- https://cdn.sqhk.co/bureruverog/chbWlju/when_i_will_die_death_clock.pdfIn PDF document text
- https://sitimewodojex.weebly.com/uploads/1/3/1/8/131856527/fizogidot.pdfIn PDF document text
- https://gosidobesek.weebly.com/uploads/1/3/4/0/134017516/6289783.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- http://ginowane.onlinewebshop.net/kofamezaxusuderi.pdfIn PDF document text
- https://s3.amazonaws.com/pusori/cryogenics_journal_latex_template.pdfIn PDF document text
- https://s3.amazonaws.com/sobaketemu/what_is_the_purpose_of_control_systems_engineering.pdfIn PDF document text
- https://s3.amazonaws.com/sixolose/corporations_canada_forms.pdfIn PDF document text
- https://s3.amazonaws.com/rawesaragegugar/jejuzifakixiwilasapom.pdfIn PDF document text
- https://s3.amazonaws.com/wumodukubaru/bluest_eye_toni_morrison_review.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000183a4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x183A4	4932 bytes
SHA-256: `f80e84b79cc206675b1b72ac71e71f66bb351f0fc6015d33eefb810d69116d56`
`font_01_sfnt_off00019474.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19474	3616 bytes
SHA-256: `db77593a170fca4aad4914cc3ef9419fc8a9d9bad17c7ef2428631310931d797`
`font_02_sfnt_off0001a26d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1A26D	12520 bytes
SHA-256: `19fde20995c4d70ec0c72fbea46059c3f04ef198c4f4d6d789e016fa2df46c55`
`font_03_sfnt_off0001cd64.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1CD64	16288 bytes
SHA-256: `141a3de5fbc19e566030ccc6482af6fa17f628d50bafb8d023359311288bb8fb`
`font_04_sfnt_off0001e2b0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1E2B0	4324 bytes
SHA-256: `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`

Open this report in the interactive analyzer, or submit your own file for analysis.