PDF malware analysis — malicious · 4462eb9c8a603ff7

MALICIOUS

PDF

85.4 KB Created: 2021-03-28 18:59:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 2f0fd0c279b65b6a3744efaa9b1ed9c0 SHA-1: eb3606c3eda131306c6edd38042bbd00432457ad SHA-256: 4462eb9c8a603ff73d9189bd04a832fc30debe7a3d8f0332a98e256b311ab3a1

254 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass external link farm, with one link pointing to a known malicious redirector. The document body, though heavily corrupted, appears to be a lure related to recycling ink cartridges, aligning with advance-fee scam tactics. The presence of numerous PDF links suggests an attempt to generate traffic or distribute further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 6

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://yafferge.ru/strik?utm_term=where+can+i+recycle+epson+ink+cartridges
- https://nasesugafod.weebly.com/uploads/1/3/5/3/135387958/sizitogetaturi_xunuxotu.pdf
- https://cdn.sqhk.co/zalopubid/VOnhfgi/ikea_kitchen_cabinet_doors_replacement.pdf
- https://cdn.sqhk.co/fomavulobet/gtJhaRJ/subject_pronouns_worksheets_grade_4.pdf
- https://cdn.sqhk.co/wexunaveb/hehcigd/48248328892.pdf
- https://cdn.sqhk.co/netesatova/qhfgjyW/pelep.pdf
- https://cdn.sqhk.co/titukopano/JjjmxTY/nirozupevelisuda.pdf
- https://bilujadaju.weebly.com/uploads/1/3/4/7/134772480/e1e3c8214bfb.pdf
- https://rerofijujujedo.weebly.com/uploads/1/3/1/8/131872137/wisaka.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/14308f52-61f5-411f-83e9-5cb8ac2d28af/larore.pdf
- https://uploads.strikinglycdn.com/files/c0e0bec4-93a8-4403-bb31-d87884f80c1b/xadaxawad.pdf
- https://uploads.strikinglycdn.com/files/ed07b012-c0b9-4de4-8e36-18658ce58374/how_to_use_the_hoover_steam_vac.pdf
- https://9ebe8999-295a-4f11-87dc-c96f3e1b46ff.filesusr.com/ugd/8de238_9e60b0b205a5457db672debf6917e29b.pdf?index=true
- https://uploads.strikinglycdn.com/files/1de473e3-0b29-48cc-9b6e-6ad6ced8fb81/can_i_use_samsung_tv_camera_on_pc.pdf
- https://uploads.strikinglycdn.com/files/52ea804c-fb20-40a3-96bd-6fa17e6fa354/what_is_psychoanalysis_kid_definition.pdf
- https://869e45c2-9c2d-410b-ad52-4d3411d41339.filesusr.com/ugd/73bd41_a659fff258734da3ab3000787b58763c.pdf?index=true
- https://uploads.strikinglycdn.com/files/d3ec168a-0006-4dfa-8c6d-a63b838f96a0/epson_ink_pad_reset_utility_l130.pdf
- https://uploads.strikinglycdn.com/files/58f7a8d7-0b0e-41bb-9003-0c8bb63553b1/31393922936.pdf
- https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_7a4aeb3d01bf48cd9e029a145024c660.pdf?index=true
- https://1d812fcc-cfc3-4558-a870-56fc5b7f4c2e.filesusr.com/ugd/754d94_9ae88570c0a04d9bb825154333ca6fb5.pdf?index=true
- https://s3.amazonaws.com/vuzotisenixava/dabakizajogixi.pdf
- https://s3.amazonaws.com/tolivajupeku/8403072882.pdf
- https://uploads.strikinglycdn.com/files/132a1546-a2e5-4105-ad8a-e7d0acc2995c/fokof.pdf
- https://f730d15c-1921-46d2-b6d4-288333e40990.filesusr.com/ugd/e2c223_e15c14e778734900b5404a98c5c1c18f.pdf?index=true
- https://uploads.strikinglycdn.com/files/0f3d6d52-2fbe-46ec-ad6f-060817c06e88/baby_girl_names_meaning_sun_indian.pdf
- https://uploads.strikinglycdn.com/files/fb1599bd-7611-4516-8662-133ecc50efb5/brother_hl-l2380dw_toner_tn660.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010db3.bin` `c2203f4fadeb4c1689cd3e141a7742d76b0e836388b28fa88e03f326ce566f62`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10DB3	5512 bytes
`font_01_sfnt_off00012080.bin` `8d7d5847bff537477a0bc6409b4a4472c2661950ae97ced368b4067bab38b761`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12080	11144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.