PDF malware analysis — malicious · 4c78baaaf2efc1f5

MALICIOUS

PDF

91.9 KB Created: 2021-03-27 22:32:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bba27599073ec47145c82ac0d229d8bd SHA-1: 50562adbc566313d37009c553a860708e1f52c8c SHA-256: 4c78baaaf2efc1f5cfe1f466e085ae3b9267d2dca54053f98728ef8e1acd5700

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic firings reveal it functions as a link farm, containing numerous external URLs pointing to potentially harmful content. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic suggest the document is designed to redirect users to malicious websites, likely for phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 6

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://resalured.ru/aws?utm_term=las+mejores+frases+del+monje+que+vendio+su+ferrari
- http://jewlgems.com/when_to_recite_surah_mulk5zidx.pdf
- http://winsl.space/surah_mulk_alkalam._pkh5l66.pdf
- https://setopotuvojinow.weebly.com/uploads/1/3/4/8/134877086/7802194.pdf
- http://buybritishcat.com/sundance_spas_spare_partstro4m.pdf
- https://xazowivuxef.weebly.com/uploads/1/3/4/5/134513065/5710779.pdf
- https://radebijudowax.weebly.com/uploads/1/3/1/6/131607027/9666093.pdf
- https://mabamakozipapap.weebly.com/uploads/1/3/4/3/134315796/f271a7e182043f.pdf
- http://trokot-shtorki.online/materi_lapisan_bumi_kelas_72xdfs.pdf
- http://help-nanny.site/177780882383o9b7.pdf
- https://dutumeparozawa.weebly.com/uploads/1/3/1/1/131163590/tuzumata-gelim-pasufugejuji-dafazakitomapi.pdf
- http://instapriz.site/what_chilean_island_inspired_the_story_of_robinson_crusoegof6a.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://4f0754e2-f0c4-47db-826b-83042027646c.filesusr.com/ugd/7a11b0_c97409ce9f904a8e97a772d6c5ef5f5c.pdf?index=true
- https://a8fdb364-3865-4521-a36b-e12f4de7752f.filesusr.com/ugd/e20637_597f38a69d0845b298199f83a627d9ca.pdf?index=true
- https://a12a05ab-6462-4855-b086-b0a2a961d6d8.filesusr.com/ugd/2c76f4_3f8ee3f235cf428c9625e4ee89e13f73.pdf?index=true
- https://f787f216-758c-4e4c-8ed4-4b2970fe4778.filesusr.com/ugd/e5a943_dc2e75d9ecd74b13af358aadf0ea4d53.pdf?index=true
- https://3745348a-78a0-42d7-8ff4-af2b45bf5faf.filesusr.com/ugd/02631b_df73fdbe5fca432ba1323ec16cf50e03.pdf?index=true
- https://4a1fbaa0-0e67-401b-a466-96699e2e5642.filesusr.com/ugd/9647bf_7efd799579a3407f9fda33d4fba73b36.pdf?index=true
- https://e9593579-f51f-4dc6-af55-2543ab512b45.filesusr.com/ugd/37952c_2c4950b1b200470dbda5736df55abcd7.pdf?index=true
- https://1b6fbac1-9b66-4609-9151-81f5d4c316f7.filesusr.com/ugd/5e81b9_3082aa69e0bc4f10b98a5cf70bab19e6.pdf?index=true
- https://6d4cd3b7-91e9-43ac-92b9-205473f1e50d.filesusr.com/ugd/28146e_ecbdd4cc70ac4c659fa767810ee67bc9.pdf?index=true
- https://4328a374-8b5c-4134-9cef-e132ca5fc89d.filesusr.com/ugd/6732b1_c0ebd19a5763421b9f706528323345f5.pdf?index=true
- https://50aad03f-9d2a-47e6-be13-abd12f321b17.filesusr.com/ugd/3fd638_010dffce87584244bd827cec01773508.pdf?index=true
- https://e85625e8-91d5-48c2-95a4-67b7b95d5b39.filesusr.com/ugd/b97a97_b12f9467773d4fa3a121b15acd6448f8.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00012744.bin` `94c8efa8a237ed37a37466b8d7b34e1a0952223e621a3a5c4a51b2805ae4ff3f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12744	5256 bytes
`font_01_sfnt_off00013919.bin` `405aa9badcea0ae941bfcc6f8b65054bab81480c3a71639157f145dbf2c62837`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13919	11960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.