PDF malware analysis — malicious · 462d153af59d795e

MALICIOUS

PDF

69.9 KB Created: 2020-12-11 00:18:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4e76029da8e9066256f99d1128b70872 SHA-1: 246f8b160c5ea6fc528259fc71f394833d241096 SHA-256: 462d153af59d795e72a243aa207eafde5ad657c78ef55411e08a99fdd40835cb

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains numerous embedded URLs, with one specifically disguised as 'bulletproof diet recipes pdf' pointing to a suspicious domain, likely a phishing lure. The presence of multiple links across different domains suggests a link farm or SEO manipulation tactic to distribute the malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.8239

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafffe.ru/aws?utm_term=bulletproof+diet+recipes+pdf
- https://cdn-cms.f-static.net/uploads/4381294/normal_5fa83774a62d2.pdf
- https://rugurujumififez.weebly.com/uploads/1/3/1/3/131384765/dimofojewesis-tojagazul.pdf
- https://cdn-cms.f-static.net/uploads/4414864/normal_5f9cb3fba24db.pdf
- https://static.s123-cdn-static.com/uploads/4476578/normal_5fcd8ab23649c.pdf
- https://cdn-cms.f-static.net/uploads/4369645/normal_5fb6be418439d.pdf
- https://firupewuvub.weebly.com/uploads/1/3/4/3/134330425/sezipepo.pdf
- https://darifojiwuz.weebly.com/uploads/1/3/4/5/134588766/04a3acf1.pdf
- https://jorimedazaget.weebly.com/uploads/1/3/0/7/130738946/momobubune.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc0d9d28787e879896bb85a/t/5fc4fe3feaf37e3b64394e80/1606745663949/lysander_a_midsummer_nights_dream_character_analysis.pdf
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe0b8c3f75b166439c635b/1606290317471/george_and_lennie_rabbits.pdf
- https://static1.squarespace.com/static/5fc0de27085bf90c0efce9ba/t/5fc14a6d3485235c86f66f3b/1606503021993/89724565629.pdf
- https://uploads.strikinglycdn.com/files/1f7505d3-0a98-4ca2-984a-958e68acef7c/narnia_el_sobrino_del_mago.pdf
- https://uploads.strikinglycdn.com/files/1f20f0df-1d5e-417a-a586-e25b20028f1f/lepai_lp_2020ti_review.pdf
- https://uploads.strikinglycdn.com/files/be5462d3-d074-4562-a129-2635623cc76d/libro_acerca_de_la_verdadera_historia_de_mexico.pdf
- https://static1.squarespace.com/static/5fc293a78ef7301f8b1b7b85/t/5fc4885161e25426e1c8fe9c/1606715474754/51614764889.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ea9b.bin` `055638a61697fdad1de09045fa9ebd7244149b3017045bb50cc07cd4fb4dea43`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEA9B	4764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.