PDF malware analysis — malicious · 266236805e90e240

MALICIOUS

PDF

76.5 KB Created: 2021-04-17 21:57:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20

MD5: f4092f8057797d46a64569019a512b69 SHA-1: 1bf875590e3eafa84177917e012fbcdd7f6b9d60 SHA-256: 266236805e90e2409e446f9d72c6bb8b235cf648ceb5c9af0f30bcc2ba7f8c05

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many pointing to disposable domains, suggesting a link farm designed for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URL `https://mezovuduw.ru/strik?utm_term=verbos+irregulares+en+ingles+y+espa%25C3%25B1ol+pasado+simple` is a primary indicator of the malicious destination.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://mezovuduw.ru/strik?utm_term=verbos+irregulares+en+ingles+y+espa%25C3%25B1ol+pasado+simple PDF link annotation
- http://kinorio5.xyz/wosovazob0vro8.pdfIn PDF document text
- http://boothattendant.com/dukulamaladewikibbcwx.pdfIn PDF document text
- http://216tilford.com/suwotisututoparosigv9ui5.pdfIn PDF document text
- https://meluwirukumipi.weebly.com/uploads/1/3/1/4/131483006/pamuzajelitaxexemed.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4446917/normal_5fd18d6422d8e.pdfIn PDF document text
- http://skidki-day.site/4864480381827ic5.pdfIn PDF document text
- https://jumirugefof.weebly.com/uploads/1/3/3/9/133997886/xudazeromame_kabaresovun_lemawilut.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4418191/normal_604ed7ebb6553.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://6ba8113a-99dc-4618-97bf-d7180f10ff72.filesusr.com/ugd/b6edda_6f7a6bae03c64fb0b0f7cb4272adf467.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/jajoxulabojaso/71750059985.pdfIn PDF document text
- https://5db246a0-94da-4013-9f64-c970003367b9.filesusr.com/ugd/ca5179_bf220d968c794bc7944dcf080602bb30.pdf?index=trueIn PDF document text
- https://33edd578-4186-4695-89f3-f56a5a23fc53.filesusr.com/ugd/f17c08_423688c37884445e8c4547eb1906c87a.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/domegagowevag/important_awards_and_honours_2018.pdfIn PDF document text
- https://bed1e925-73f7-457c-87ff-53f226988024.filesusr.com/ugd/d4a8ce_d5077f2ef0d4495abbaaf587d735ef1d.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/xukanomarexumu/avoid_tolls_google_maps_android.pdfIn PDF document text
- https://6131fb9f-3080-406c-a6ab-c4686b6a2f6f.filesusr.com/ugd/52be6f_3a6712ab87434de18e1be046fe19f436.pdf?index=trueIn PDF document text
- https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_987af12118ea4344acf11c4e7a6e1496.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/penale/2021_ford_mustang_ecoboost_0-60.pdfIn PDF document text
- https://9fbaa0db-fe9e-443e-b503-3d02ea494c21.filesusr.com/ugd/d417e9_8f9d37f3c6c545eaab8a6ff78cba21a6.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ea3b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEA3B	5696 bytes
SHA-256: `d4b765abe56b5c6fb0ba180ab684916c1d426b72eaa5482ca7b174ccb8ff1f3a`
`font_01_sfnt_off0000fd4e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFD4E	11260 bytes
SHA-256: `eddb5f993b272a27fd81b3205c8804ddb601d30ea98fe320d56d4623871f03bb`

Open this report in the interactive analyzer, or submit your own file for analysis.