PDF malware analysis — malicious · 402fce0529669146

MALICIOUS

PDF

87.3 KB Created: 2021-03-10 00:31:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-04

MD5: 09b38584d0fa0002b00cb7d8daa73d36 SHA-1: a703d5110091370573a674ea8b2c7909962830ff SHA-256: 402fce0529669146947ddd718a67e22ae45c85d529ca0b237b525d8e520ccf5f

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by multiple heuristics as a link farm, containing numerous external links to other PDFs hosted on disposable domains. The ML classifier and ClamAV also identified it as malicious, specifically as a phishing trojan. While no scripts were explicitly extracted, the nature of the link farm suggests a potential for distributing further malicious content or phishing lures.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://resalured.ru/award?keyword=social+cognitive+theory+strengths+and+weaknesses+pdf PDF link annotation
- https://cdn.sqhk.co/kifateten/difjeeY/81747692329.pdfIn PDF document text
- https://cdn.sqhk.co/bitaxukezor/gdiinVR/ancient_egypt_old_middle_new_kingdom_timeline.pdfIn PDF document text
- https://cdn.sqhk.co/woxutonezem/jfveggf/kutuzuzuvurumogesamo.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4460725/normal_5fcbd69f8a144.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4391327/normal_5fcf29a332b50.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4393486/normal_60461c6d38e3a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4467945/normal_60204f4293836.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490534/normal_601d649e3cc02.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4482625/normal_5fdb9d691e1b2.pdfIn PDF document text
- http://widuzuduzudovix.iblogger.org/87438103660.pdfIn PDF document text
- https://cdn.sqhk.co/tezofugowura/kgjxNnC/kebokovuz.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4491670/normal_5fd2e4504a459.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4471960/normal_6047f57a624b8.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374371/normal_603a745a1d012.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4387933/normal_5fcb23777053f.pdfIn PDF document text
- https://cdn.sqhk.co/bolukawet/S0idxVr/wajusa.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://bipunasozusi.epizy.com/44015347580.pdfIn PDF document text
- https://17a6c5a8-0587-4adf-8126-5b439e15a62f.filesusr.com/ugd/54bec1_f87357709cf44de7b3b0e6b85c982950.pdf?index=trueIn PDF document text
- http://vukanaxugosazed.rf.gd/ind_as_17_segment_reporting.pdfIn PDF document text
- https://aed0ee3a-d217-4696-a563-de9ff15d6c37.filesusr.com/ugd/f80e3f_76db3805fdbd40ed9222887255757727.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e3c8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE3C8	16336 bytes
SHA-256: `1d182da83d73666e3510367a86f59655721f2eb89bd1b6108ae0f2af9ffe566d`
`font_01_sfnt_off000117fc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x117FC	5840 bytes
SHA-256: `5f3c82faed900c2d928f4c09845407390ed65eff8db2d7b4dadc017aecc9555b`
`font_02_sfnt_off00012bfa.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12BFA	10196 bytes
SHA-256: `42ea276bb565ce056c4940b596231b77d69bdcef7a1b4ce705b30769d874bf5e`

Open this report in the interactive analyzer, or submit your own file for analysis.