PDF malware analysis — malicious · 306bd9512afd2dab

MALICIOUS

PDF

79.8 KB Created: 2021-03-24 11:03:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25

MD5: 74c5e6730bf00fc3d7925488656975a3 SHA-1: 2c4198ca45a6fd1a8d7e4b62e5d2cc2463ba488a SHA-256: 306bd9512afd2dab92e5c34447759852c7de53a0077b4517d680f0b99b8e0b7e

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many pointing to benign-looking PDFs, but one primary URL is associated with a keyword search. Heuristics indicate this is a link farm designed to generate SEO traffic, and ClamAV identifies it as a phishing trojan. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the overall structure suggests a malicious attempt to redirect users to potentially harmful content.

Machine Learning

Nyx PDF Classifier suspicious score 0.4132

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://golowaki.ru/wix?keyword=chapter+14+chemical+kinetics+worksheet+answers PDF link annotation
- http://wadixokup.22web.org/acute_coronary_syndrome_guidelines_aha.pdfIn PDF document text
- http://megatorg.ru/wave_painting_animal_crossing_new_horizonsnyeeq.pdfIn PDF document text
- http://baby-slings.ru/hype_x_cyl_bluetooth_speaker_manualdtm1b.pdfIn PDF document text
- http://vorecan.fun/recommendation_letter_template7t5yd.pdfIn PDF document text
- http://drenajkrasnodar.ru/can_you_play_star_wars_galaxy_of_heroes_offline6l4m6.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/gomakobez/49365469852.pdfIn PDF document text
- https://011f98f8-b45f-4578-a2fd-466b530f7845.filesusr.com/ugd/74e905_0c4e0da9fadd456a9ed18ed5d83fe8ad.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/posufij/samovizebaj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cae24481-4f47-4a08-8905-b07d21398c26/ez_go_golf_cart_parts_catalog.pdfIn PDF document text
- https://s3.amazonaws.com/sixolose/does_burger_king_have_a_grilled_chicken_sandwich.pdfIn PDF document text
- https://s3.amazonaws.com/tokudapele/4927661570.pdfIn PDF document text
- https://c3d762b3-5d50-4891-ab6d-43710edd2423.filesusr.com/ugd/3254bf_472197d18ce44db69297f8b20163e2ea.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/wefemabeni/17149822001.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f45f25bb-7253-4f3a-8a94-f29df65f653e/miwerifamovaxemen.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ba943f3e-f74a-4ae7-9021-976ed8af3021/xagam.pdfIn PDF document text
- http://sejuralun.epizy.com/pdf_cinderella_short_story.pdfIn PDF document text
- http://kujafugakare.epizy.com/adobe_support_advisor_for_pc_free.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/09227199-bff3-45df-ba2f-6b481f1dd6bd/pobuxuzaxog.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/87334415-7714-489f-85a5-ed8ab85875a9/what_oil_should_i_put_in_my_pit_bike.pdfIn PDF document text
- https://cf587a47-7c2f-4f55-8bbb-21a4c73503f7.filesusr.com/ugd/8ea597_8f7917ceb7524666ae983b7e7ea2f305.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/39c1f40b-63ed-4b14-a001-53535514da0a/in_the_mood_for_love_soundtrack_mp3_download.pdfIn PDF document text
- https://bdee3e82-1fe6-4084-b289-f15f5249f83e.filesusr.com/ugd/749937_d1aaa81674744290ba05d8913ff225f5.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/45ebb887-bffe-43d6-a349-d0e06a161469/how_to_fix_a_ge_microwave_door_handle.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dd9a99bb-8c3a-4339-8f5a-603f9122a3ea/48443524112.pdfIn PDF document text
- https://78151a86-a557-4e49-81aa-a2539eea45c7.filesusr.com/ugd/204f4f_cf11885350d945ab83f4ca7a2807505f.pdf?index=trueIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000102ec.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x102EC	5372 bytes
SHA-256: `703ab5f5b178c3ad90703ffc96596d37fa28f23ee905f8ade350939ed6d55348`
`font_01_sfnt_off0001151d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1151D	11044 bytes
SHA-256: `62edd4fd469caae5cbd5dcda01287ca343108d79ed2a2ae46e27e56295a40370`

Open this report in the interactive analyzer, or submit your own file for analysis.