PDF malware analysis — malicious · 4f8aaadb2f99d361

MALICIOUS

PDF

74.9 KB Created: 2021-05-30 02:01:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10

MD5: 22de53003f44ad44aef2446dfb7a1731 SHA-1: ab42de776c15bed57c632e67034f470802d7ed76 SHA-256: 4f8aaadb2f99d3610d2f9e1931c5d22e116c2cd614efde5bf26214db9fa535ba

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The PDF contains a large number of external links, suggesting a link farm or phishing attempt. While no scripts were directly extracted, the presence of embedded URLs and the nature of the heuristics point towards a phishing or malicious redirection scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://vagonegasix.weebly.com/uploads/1/3/1/4/131482995/repenoj.pdf In PDF document text
- https://kuvuwivozud.weebly.com/uploads/1/3/6/0/136091804/vejufu.pdfIn PDF document text
- https://rivupabageram.weebly.com/uploads/1/3/5/3/135323939/daa3ab8253f2.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://feedproxy.google.com/~r/wb/ENAH/~3/Xr6F2PkPTcg/wb?keyword=how%20much%20is%20a%20round%20bale%20of%20hay%20costPDF link annotation
- https://uploads.strikinglycdn.com/files/40b81a11-6c66-44a5-89c7-3ab034e2efdd/why_did_the_spanish_want_to_settle_in_texas.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b29679b-5e08-4931-9649-ba0a4575ab6b/como_passar_um_arquivo_para_o_word.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/24a6d23d-33b1-4615-a17a-84e1a1c81886/ingenuity_bouncer_seat.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/afa8f603-7c5b-42bc-9943-037201c94d44/57158196212.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/82a331ab-9594-49ce-a1db-4f8668df45b4/80976648014.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/319a0dfd-3162-4836-8f80-f9a2c195080e/easy_spiral_granny_square_crochet_baby_blanket.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f5cb7097-c9c1-4896-866d-fb63686919d0/william_faulkner_born_and_died.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5ab9f303-e497-4507-9bd8-85921de97ac8/microeconomics_with_calculus_perloff.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c1f015d2-c9ae-4bad-a0b6-9c3885face0f/liseratovafusatebadinebo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/140835be-6ef4-4334-9d81-5da99b1cb334/how_can_a_source_be_unreliable.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/50d0c652-7111-456f-a372-579bde2c9e2c/which_washing_machines_have_lint_filters.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0bee21d9-e429-47ee-a964-009328415044/87392029054.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3a9e3000-1f55-4ecc-ae9c-ab669449ea28/81054325738.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f43fa21d-ab77-42bf-a0b2-1f66fc699152/minn_kota_riptide_112_36_volt.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f6a0157f-3876-4a11-8cc1-134e4ab425ad/susinarufebikotaxikewuxep.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2d6ad450-78a3-4d94-b42e-47ad4b3adbe9/regasomeru.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b403d05d-8be4-4306-b71a-dc157e2f3350/sketchup_free_tutorials_2019.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d9e6f37a-8ebb-4ce0-9ada-5f213b86ca92/8452783197.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e6c5.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE6C5	5556 bytes
SHA-256: `4ee16c6fffbd94bcfdfc0cb6ca0921f00ba1a6dcaa39233fd7b29400bd21f4a0`
`font_01_sfnt_off0000f994.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF994	10840 bytes
SHA-256: `479b70688a2fce2abd8e67d7a011983e05141aebae9366eec9177598a0944c3e`

Open this report in the interactive analyzer, or submit your own file for analysis.