PDF malware analysis — malicious · 2902782da9c3277d

MALICIOUS

PDF

109.1 KB Created: 2021-03-05 05:21:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17

MD5: a82099442b3505ed2c05b56d54f4c1d6 SHA-1: 511d3de449f4dd7a40b06546a9f7ab882250add5 SHA-256: 2902782da9c3277dac87bfce998637042f11a6985f2ed0009396c5407f90eb0f

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. It contains a large number of external links, many pointing to disposable hosting, indicating a link farm designed to redirect users. One of the embedded URLs, 'https://xajibur.ru/award?keyword=how+to+set+alarm+on+sony+dream+machine+icf-cd3ip', is particularly suspicious and likely leads to a phishing or malware site.

Machine Learning

Nyx PDF Classifier malicious score 0.8515

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xajibur.ru/award?keyword=how+to+set+alarm+on+sony+dream+machine+icf-cd3ip PDF link annotation
- http://vuwimoxit.mygamesonline.org/is_the_minnesota_drivers_license_test_hard.pdfIn PDF document text
- http://kazimibi.getenjoyment.net/35153390863.pdfIn PDF document text
- http://beririka.scienceontheweb.net/why_does_my_lg_refrigerator_ice_maker_keep_freezing_up.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.fontrix.comhttp://www.nhncorp.comIn PDF document text
- https://6d428a25-da86-44fa-8f13-5b0f09742281.filesusr.com/ugd/3649d2_ad82b24691824e3eb015157632546a90.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/ad02fff8-1a98-46f2-84b8-906711f3cf50/salario_minimo_para_empleados_exentos_puerto_rico.pdfIn PDF document text
- https://9c789f27-b70c-4c9d-9e83-211ee8f99b38.filesusr.com/ugd/bdeb4c_764ff448911b48e1a6d163b3041a5291.pdf?index=trueIn PDF document text
- https://8c4778c4-ed17-4cf1-86f9-5448e21c5c15.filesusr.com/ugd/6da380_0f36958229ea4d8c9496d75f09c9f41c.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/d913d9c1-07aa-4297-adf7-a7b2d98d8413/download_save_editor_diablo_3_ros_xbox_360.pdfIn PDF document text
- https://70848fb0-0fd0-490a-9360-2ffa38fc212c.filesusr.com/ugd/08e331_b80d971393534302a031ede03c9589e3.pdf?index=trueIn PDF document text
- http://fojosotum.myartsonline.com/luboviwefidef.pdfIn PDF document text
- http://rigeladujonij.epizy.com/64918058574.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ee4041e4-98aa-40f8-90d3-9bf63d3b80ce/how_to_do_descriptive_writing_gcse.pdfIn PDF document text
- http://vorisenunajix.myartsonline.com/how_to_make_a_one_shot_dd.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4923f3d7-1f2b-4307-8be2-96a2bcf5f9a2/jenomotojugos.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ddf4de64-dadd-4710-8f40-a8093fc11685/gabekinadexunosun.pdfIn PDF document text
- http://xolavozezimodan.onlinewebshop.net/67510578350.pdfIn PDF document text
- https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_3f51a52eb99e4ffead952d470f196b52.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/4cf4769b-11ab-4ac8-9eef-29973df8657a/4489707521.pdfIn PDF document text
- http://pijularof.epizy.com/16586321402.pdfIn PDF document text
- http://paxevufofuf.epizy.com/skype_for_win_xp_sp3_free.pdfIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001436c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1436C	5748 bytes
SHA-256: `9ca82792da8e4e2606685b45d8d675470404d3688d3b767dddcad5d712b9b31c`
`font_01_sfnt_off000156e8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x156E8	3348 bytes
SHA-256: `948d40f6d5a9c3dea783d395e8d4a38cb63a48a185fc285a607aef6fba6d9500`
`font_02_sfnt_off00016494.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16494	11104 bytes
SHA-256: `0a00c219cfc1e8ac7819d4d5ee448b8ee57bb7591cfb782bf7447787b95c1540`
`font_03_sfnt_off00018a8f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x18A8F	15516 bytes
SHA-256: `2dd5fa05d9893d0280f96893fb5783f787f0ef296248f39e7d3ac15920d994f8`

Open this report in the interactive analyzer, or submit your own file for analysis.