PDF malware analysis — malicious · 32fb547b4c0fdd72

MALICIOUS

PDF

89.1 KB Created: 2021-05-10 00:56:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8363625ea91f78edc3c8f496dafcf355 SHA-1: 2002426e7d719a897138782f0c242c7785670c28 SHA-256: 32fb547b4c0fdd7279f4fc4c3bfd83258749a50113667859b5a2611a231dbe31

206 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits multiple high-severity heuristics indicating malicious intent, including random and suspicious link patterns pointing to disposable domains. The ML classifier strongly flags it as malicious, and ClamAV confirms detection as a phishing trojan. The document body, though heavily obfuscated, contains references to wkhtmltopdf, suggesting it was generated programmatically to host numerous links, likely as part of a phishing or malware distribution scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK

PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE

PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jumiwimov.ru/strik?utm_term=the+mists+of+avalon+full+movie+online+free
- http://leree4.club/winumopuzoxak7sbi0.pdf
- http://sedouche.xyz/afterglow_headset_xbox_one_stopped_workingg9l4t.pdf
- http://genusadnlo.space/noxafisofakawidatuvusijasgxghl.pdf
- https://cdn-cms.f-static.net/uploads/4417206/normal_60603a2c27e8d.pdf
- http://expressday.online/is_ruger_sr9_a_good_gun0189e.pdf
- http://securityofusersdevicesonline.site/what_do_database_data_warehouse_and_data_mining_have_in_commonqovgh.pdf
- http://misstourist.info/xobalwd0kr.pdf
- http://cz-nitrof.website/casio_forester_watch_manual8r67q.pdf
- https://static.s123-cdn-static.com/uploads/4487381/normal_6006dbae29302.pdf
- http://cancandance.org/platicas_de_bautizo_onlineq4c9k.pdf
- http://lianhua.life/734401845318lnwm.pdf
- http://changepass.online/ukulele_strumming_patterns_4_4d4fg6.pdf
- https://cdn-cms.f-static.net/uploads/4417313/normal_5fe7e81db1b52.pdf
- https://static.s123-cdn-static.com/uploads/4419198/normal_5fefa39a3529e.pdf
- http://amst-watch-v2.club/how_to_do_neck_rotation_exercisev5wde.pdf
- http://tokio-2020.fun/wosomop93f81.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/2e88ebaf-d40f-439d-8a8a-389f56513ff2/misabus.pdf
- https://uploads.strikinglycdn.com/files/d5746cd1-2078-46fa-8669-d80a4969e7eb/how_to_make_maggianos_baked_ziti.pdf
- https://db6d201d-bdff-4648-9982-d9cfaac7639e.filesusr.com/ugd/98857b_d74a1ade162a459b91420e5d60356647.pdf?index=true
- https://8a6b9437-e7f2-49d7-8c24-351b272aa67a.filesusr.com/ugd/b18e4d_b0dd20c0dce04bf08932944e6fc4eedc.pdf?index=true
- https://acbe2b0b-ee64-4eea-b0ce-372b1aa9cc7a.filesusr.com/ugd/4bcc67_c39b36579df34108a5436286ab87df10.pdf?index=true
- https://uploads.strikinglycdn.com/files/b6ac1433-da8b-404b-beb8-f477c9cc6992/the_magicians_season_4_episodes_wiki.pdf
- https://uploads.strikinglycdn.com/files/e36c8795-e47a-46e4-86d2-b3898d9d2fab/10924537484.pdf
- https://45180a89-8b92-4d54-a4c6-cdf0ad6af3c7.filesusr.com/ugd/2b98a3_27ff2e4ff8864cbbbce8d52df5049ab3.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000120b1.bin` `b8fa0826d571e3fcb61d33d966ea903b1e26e9a4f6ef238669dcbe8e00bcde37`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x120B1	5016 bytes
`font_01_sfnt_off00013199.bin` `a3e7487bc47617da9602ba5956e3e4d7252e7cb36b8dca94619db08f664fcf8f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13199	10776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.