PDF malware analysis — malicious · 4f081a91ce37c343

MALICIOUS

PDF

88.8 KB Created: 2021-05-04 00:12:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21

MD5: f02841082ecc35001db6795907c54747 SHA-1: 9a523d633409e10272933daeea1f8c1b3fbfd0ce SHA-256: 4f081a91ce37c343c0e76b26792cfd9f6d557209ecb2ad1263be637cd84cd992

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a large number of external links, many hosted on disposable domains, indicating a link farm or SEO manipulation tactic. One of the extracted URLs is https://zajinet.ru/strik?utm_term=nourishing+traditions+baby+food, which likely serves as a redirector or landing page for a phishing or malware distribution campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://zajinet.ru/strik?utm_term=nourishing+traditions+baby+food PDF link annotation
- https://wixezijuni.weebly.com/uploads/1/3/5/3/135312108/36243.pdfIn PDF document text
- https://zikixitifo.weebly.com/uploads/1/3/4/8/134897390/6513137.pdfIn PDF document text
- https://xukifunizagopo.weebly.com/uploads/1/3/4/0/134013279/45864d28ef2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4405950/normal_5fd14633dcf10.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4465565/normal_5fcf26f9a3d01.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4384325/normal_5fd17cb3ce6ba.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4387918/normal_601534168d098.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366047/normal_60545555e8bac.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4450439/normal_5ff5aa058d0a8.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4404296/normal_60280da3c2bdc.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4456982/normal_6028bec7af739.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369514/normal_604cb940196f2.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://4ac36a2f-1533-488b-b282-cf34cdace458.filesusr.com/ugd/bcfc12_56cdc3154fe54fbe83c1f88f933e5e10.pdf?index=trueIn PDF document text
- https://9005a25f-7293-4a73-bb0f-bc58e8c16807.filesusr.com/ugd/e3834b_272da5a25e3f40318b79efc5d3ab43c1.pdf?index=trueIn PDF document text
- https://ad843f61-c544-48d7-8cfb-3c048b9edb46.filesusr.com/ugd/0dd9ed_cf3b51feacad447dbe3976ced2e8b913.pdf?index=trueIn PDF document text
- https://7fc1e5b2-1dd8-4457-9de2-3dea1ab9f589.filesusr.com/ugd/fedd61_9f152d8a02554d8294866c0ff8e73e97.pdf?index=trueIn PDF document text
- https://976edc35-935c-46de-9e6e-e225dbc25668.filesusr.com/ugd/0829d8_fbd140b6155c48749ed2e3b0e4dbe7d9.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001057e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1057E	5348 bytes
SHA-256: `481e7e9a8e458ed373f1c6ada646c56f601ce612da28dd33debe0ec1c678824b`
`font_01_sfnt_off000117b2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x117B2	11840 bytes
SHA-256: `babc5b6871996cdecbb6fcf0eced148aca697561ebbe64f4ebccddf47c1153e3`
`font_02_sfnt_off00014037.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14037	16204 bytes
SHA-256: `532315dfdc59b350d447ad91845dd8cc72a836e684f536ab9a4305dc5b53fb8e`

Open this report in the interactive analyzer, or submit your own file for analysis.