PDF malware analysis — malicious · 5383ce83ebf6bc15

MALICIOUS

PDF

86.5 KB Created: 2021-03-15 08:34:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 01fa747446e51e1b8ec86bca72405b29 SHA-1: c4d5bb4f3899c9764338da6848446a50ab9d36b2 SHA-256: 5383ce83ebf6bc15e880c42de914ec32b8529fea0a0387f07d92a3fd0c390170

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO manipulation tactic. The primary URL, https://pelibifir.ru/123?utm_term=swiss+crs+reporting+deadline+2019, is likely part of this scheme. No scripts were extracted, but the PDF structure and link farm heuristic point towards a phishing or malicious redirection attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9995

Heuristics 6

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pelibifir.ru/123?utm_term=swiss+crs+reporting+deadline+2019
- https://segapokepex.weebly.com/uploads/1/3/4/6/134649200/9995173.pdf
- https://cdn.sqhk.co/tezofugowura/ujiY2nq/the_roommate_agreement_emma_hart_read_online.pdf
- https://zepukuliro.weebly.com/uploads/1/3/5/9/135964459/5f960b71.pdf
- https://nalufubuxozukex.weebly.com/uploads/1/3/4/4/134479837/23443.pdf
- https://kemovovem.weebly.com/uploads/1/3/1/4/131408999/vamijonuno_fazaziwineleg.pdf
- https://lalidusuferub.weebly.com/uploads/1/3/4/4/134440540/3186416.pdf
- https://wiwokuvivatazu.weebly.com/uploads/1/3/4/6/134629214/3322471.pdf
- https://molesomux.weebly.com/uploads/1/3/2/6/132681378/2bc434dfe97bfa.pdf
- https://waruzakelejabu.weebly.com/uploads/1/3/4/6/134600446/f5d95f8.pdf
- https://cdn.sqhk.co/sezunofubuzi/gLBmOif/movie_shark_attack_surfer_girl_2016.pdf
- https://bojowavezuzabi.weebly.com/uploads/1/3/1/3/131382797/04c428a883c.pdf
- https://kiwitelovig.weebly.com/uploads/1/3/4/3/134358902/jibejulefaxupe_kezivirageki_mavatepafositug_nisajubulapuz.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/44c2d0b6-5735-402d-b188-460831c01f16/why_is_my_maytag_washer_not_working.pdf
- https://98be45bc-63b9-4117-aff7-84a3d4f2c4a0.filesusr.com/ugd/90c678_cbb48b3f137145a6996ac680984b59cd.pdf?index=true
- https://c1f973cf-d719-4acb-8f9e-cd83ae4fb94d.filesusr.com/ugd/057766_ef3f2936f7a542afbe942a8f1669bbb6.pdf?index=true
- https://uploads.strikinglycdn.com/files/77e0ae4d-09a1-4c4e-85f0-9653da23bc54/63835069520.pdf
- https://c8070bf9-ed42-4c5d-8eb8-ca35ee70f136.filesusr.com/ugd/d38238_3aceb05b2a7149c9a01819ef11b54684.pdf?index=true
- https://uploads.strikinglycdn.com/files/1bb18933-6dd4-4f89-a3c5-8dececc90155/gufabupusumire.pdf
- https://121f8fc1-d270-4171-a721-8ccd656fc20f.filesusr.com/ugd/2ca22b_8c33387d9dbe4e1da764fe8343f04a91.pdf?index=true
- https://4f0754e2-f0c4-47db-826b-83042027646c.filesusr.com/ugd/7a11b0_8068176e75244808a83b2c2a64d1e883.pdf?index=true
- https://s3.amazonaws.com/woxojuxafopuv/android_ndk_cmake_install.pdf
- https://s3.amazonaws.com/risisipajole/10476794886.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010506.bin` `83916b88e324c8bd9d90ce8e915a459261e840751cc0fd618b7e4fd26359bdfb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10506	5704 bytes
`font_01_sfnt_off00011881.bin` `74244b56ca748191a7b57711060e9e02b144b8dc33e110146aad70fb685b5d25`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11881	11164 bytes
`font_02_sfnt_off00013e74.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13E74	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.