PDF malware analysis — malicious · 3fce713782fae80c

MALICIOUS

PDF

81.4 KB Created: 2021-03-06 07:00:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22

MD5: b1d85307e455edd6417ec02e96d0a5e8 SHA-1: 2ae6ba98c002f52c9d8856a3ac9f1293f0c08925 SHA-256: 3fce713782fae80c02e863d9023be941b687bb22be3960d2cd5caf10e2c904ca

166 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is classified as malicious by ClamAV and ML heuristics, indicating it's a phishing attempt. It contains numerous links, some of which are hidden and lead to suspicious domains like 'loginwithfb.site' and 'sawemawe.mywebcommunity.org', disguised under lures related to COVID-19 and driver's licenses. The document's structure suggests it's designed to exploit user curiosity or urgency to click on malicious links.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE

PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://zajinet.ru/award?keyword=nj+driver%2527s+license+renewal+grace+period+covid-19 PDF link annotation
- http://sawemawe.mywebcommunity.org/motorola_xpr_4550_accessories.pdfIn PDF document text
- http://freshka.fun/abbyy_transformer_12_fulldhk96.pdfIn PDF document text
- http://soldonlittleton.com/homelite_super_xl_chainsaw_carburetor2ylza.pdfIn PDF document text
- https://fosegeluka.weebly.com/uploads/1/3/4/7/134717840/negadaruguf-safet-fozav-reroreme.pdfIn PDF document text
- http://fegokodelaxen.scienceontheweb.net/8686935766.pdfIn PDF document text
- http://poopo.ru/how_many_calories_in_veggie_power_bowl_taco_bellap0uv.pdfIn PDF document text
- http://loginwithfb.site/aadhar_card_by_biometric_devicepn4lh.pdfIn PDF document text
- http://mgacessoria.online/how_to_make_a_climbing_training_planrdbz9.pdfIn PDF document text
- http://rulabepotinujeb.mypressonline.com/38509345441.pdfIn PDF document text
- https://bexusisase.weebly.com/uploads/1/3/4/5/134596812/4874842.pdfIn PDF document text
- http://zitugaxusi.mygamesonline.org/56606180566.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://gekolutewubel.myartsonline.com/m_audio_axiom_air_25_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8afe0708-cf39-4ce0-9b31-5e46a6464a72/nozisovazexolamimiwik.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/838483a3-4718-4753-be25-e40afbde7a10/nail_salon_open_today_during_covid_19_near_me.pdfIn PDF document text
- https://b564fea6-732e-489f-a029-a72dc6590de2.filesusr.com/ugd/6a4619_acce785ff5e944c585c1787cec4d8ca7.pdf?index=trueIn PDF document text
- http://solejow.myartsonline.com/biwimitudumeguvegoza.pdfIn PDF document text
- http://sazasewugekupej.onlinewebshop.net/5066893915.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f203bc19-6ac6-4394-aebb-4dcb6eb3b0d3/who_destroyed_dathomir.pdfIn PDF document text
- https://f3dbd103-cf2f-44fc-b0ad-c9004dc38af2.filesusr.com/ugd/1f2646_b35f68821eda47adbd97d48f46a66e5d.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c49047e5-a8a9-4b53-a584-1a55c67c88e7/jafaradadagegal.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010065.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10065	5712 bytes
SHA-256: `43f32ef4dd32da8c3fdf27895b7cfe2ba724ff7dd37e871113538554cfc5b4dc`
`font_01_sfnt_off00011420.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11420	10564 bytes
SHA-256: `bb9a03179d67bb5bf7a76627c4728cbc9aa878e45c9310dcdbfffe4b7418fa12`

Open this report in the interactive analyzer, or submit your own file for analysis.