PDF malware analysis — malicious · 50dd19e1f0aaff74

MALICIOUS

PDF

79.2 KB Created: 2021-04-08 09:31:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d6b4c74633c5cb46133ed35b61116d3a SHA-1: 79ac13f80c58a855fd76bfacd711957a786f3cc4 SHA-256: 50dd19e1f0aaff74719967cec0e7a148d399869134d724422e64e9a9dca01130

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and an ML classifier, with ClamAV detecting it as a phishing trojan. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or redirection mechanism. The primary URL observed is https://vilenefex.ru/strik, which is likely used to deliver a secondary payload or redirect to a phishing page.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://vilenefex.ru/strik?utm_term=newsmax+channel+on+spectrum+cable PDF link annotation
- https://cdn-cms.f-static.net/uploads/4369336/normal_604886d5cbf51.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489976/normal_6041d3d0a4582.pdfIn PDF document text
- http://pifanaliriwabo.mygamesonline.org/63804581111.pdfIn PDF document text
- http://tebaxal.22web.org/define_parameters_in_cloudformation_template.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4420237/normal_6023d53840552.pdfIn PDF document text
- http://zokugorevat.mywebcommunity.org/eureka_vacuum_not_spinning.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://44879a12-c10a-431c-a98a-7de142752d0f.filesusr.com/ugd/bb4607_d3226282b5bd4c929799165523e0f011.pdf?index=trueIn PDF document text
- https://bc260b4e-efc2-469d-9102-9c7234992d76.filesusr.com/ugd/b1b3ad_5bda01d6588743e5a896ccb060fec7f0.pdf?index=trueIn PDF document text
- https://d5fb4b5d-766d-4e54-ab1c-ecc61d2b7d82.filesusr.com/ugd/b0c8dc_b77b549c1dc541e795b1da7856e83b3c.pdf?index=trueIn PDF document text
- https://7fd92c66-d3af-485c-b7a9-31529ddfb1b5.filesusr.com/ugd/997d0f_a095d8e8df8f4e7ab21511bb1d153111.pdf?index=trueIn PDF document text
- https://d3df31c7-72fe-42b1-a92e-0723e8ed7a16.filesusr.com/ugd/5bf82b_6c232eff648d427b8ef713f8004d0dc5.pdf?index=trueIn PDF document text
- https://b54663a3-ff9d-4122-b75c-69b71428c9b0.filesusr.com/ugd/cfa91a_59afc64f69964d2bbc7aff658464146c.pdf?index=trueIn PDF document text
- https://3d7304b5-8527-495f-b913-615d6f357a43.filesusr.com/ugd/ef7486_ec1b3b6b943f4e4291a6ece66db8cc28.pdf?index=trueIn PDF document text
- https://8fa10226-37c2-454d-bd65-ced70ecbf0c4.filesusr.com/ugd/c34aa9_0efa9896c3624a68ba79859a5e6e538b.pdf?index=trueIn PDF document text
- http://wizasagi.rf.gd/66662529595.pdfIn PDF document text
- https://d8d691c7-cf48-432b-bece-a54604b57851.filesusr.com/ugd/1e3a4b_0e459c0aec0744ae8c738aeef8832b91.pdf?index=trueIn PDF document text
- https://98cdd5c5-c43e-49eb-9373-39517e896cbb.filesusr.com/ugd/90661f_96055f799999423a96784b88555ff739.pdf?index=trueIn PDF document text
- https://33c7e2ec-32fc-4676-a642-9d95a4379e01.filesusr.com/ugd/622218_f21e4424f5184fe8904ed60be03aa189.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f742.bin` `2701dcda900419f660a26227bb9d011869a1deb2e3dc5d392d74528e014d8d9a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF742	5440 bytes
`font_01_sfnt_off000109af.bin` `339afa96a6dbfca4918bb3d41c6c56e40ed170fea6d4b6568466f90284d8fd44`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x109AF	11216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.