PDF malware analysis — malicious · 3bc2bea371561d82

MALICIOUS

PDF

97.3 KB Created: 2021-03-13 15:07:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23

MD5: 9a7df666a0d60375886ffb6cf7708d79 SHA-1: 21395e62749c8b3171f3521a7ee5d9168e72fb8c SHA-256: 3bc2bea371561d823d7df969fbef1dd1eaa9a9dcbb26dfb5aa2fc0a9b455e0b2

166 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged by a machine learning classifier and ClamAV as malicious. It contains numerous embedded URLs, suggesting it may be part of a link farm or phishing campaign. Notably, it includes a 'Clipboard command execution lure,' instructing the user to copy and paste content into a shell, which is a common technique for executing malicious commands or downloading further payloads.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://vilenefex.ru/wix?keyword=air+traffic+control+career+prep+pdf+free+download PDF link annotation
- http://profapp.pro/jupoxipujuwurop98l8.pdfIn PDF document text
- http://natnat.fun/cashvertising_freecnbc4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4495526/normal_60125aed7b59b.pdfIn PDF document text
- http://kyponnik.online/11088286173ps128.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4464083/normal_600b5ae4a26ee.pdfIn PDF document text
- https://zunepijubu.weebly.com/uploads/1/3/3/9/133986973/3823012.pdfIn PDF document text
- https://tazabavirivagi.weebly.com/uploads/1/3/0/8/130814173/3172009.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485714/normal_603f1ed3ce8ac.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4385216/normal_5ff782e4ce8e8.pdfIn PDF document text
- http://dvestideyli.xyz/pexetolikh33s3.pdfIn PDF document text
- https://gurosutu.weebly.com/uploads/1/3/2/3/132303194/05dc74a6.pdfIn PDF document text
- http://femesugubu.iblogger.org/modern_world_history_textbook_online_10th_grade.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489428/normal_602426b345c50.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://eee7329a-c4d5-4508-a8fd-a8ba515f7d9f.filesusr.com/ugd/5ed802_47c60a087f714e17b13cc3016015ec95.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c63a7e2b-7fe8-43b4-8a35-6987413a2efc/87433438224.pdfIn PDF document text
- http://kopivenegi.epizy.com/22935609514.pdfIn PDF document text
- http://viwumizebawekez.epizy.com/frustration_aggression_theory_dollard.pdfIn PDF document text
- https://7835c217-6b95-46a1-915a-76cdebae3fe0.filesusr.com/ugd/debfb4_40a0e8a72cba452aaaabd53047e30688.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/4b5d573a-333a-4717-8a56-bb4002e34c41/vasesugujelivepuwuke.pdfIn PDF document text
- http://sifepati.epizy.com/tozojixapu.pdfIn PDF document text
- http://nedepufeto.epizy.com/app_to_soundcloud_songs_iphone.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/28293e0d-5db5-41f7-8559-b1ddc8efb836/jumigeminebuwowinevon.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/86572bbe-9b90-4461-972f-3ee81ada7b02/gorulowevuxi.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00013be3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13BE3	5052 bytes
SHA-256: `5c18434eeda7d312dd00d763d364947a06bf72b0da275bc315a8efbd18014448`
`font_01_sfnt_off00014d37.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14D37	12568 bytes
SHA-256: `a7fc1a9e96bc51513c8d67fea42604d1a1664c5ac7a12a536ac1f252922bfbeb`

Open this report in the interactive analyzer, or submit your own file for analysis.