PDF malware analysis — malicious · 57479fbbe6509c5d

MALICIOUS

PDF

66.5 KB Created: 2021-04-02 18:53:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10

MD5: 99f85be28c05c49556b07aaf3baceb84 SHA-1: 876f854620afc2b06d4695da5441e94a81ae86dd SHA-256: 57479fbbe6509c5d98fa06da9a660d77253dd91d664be28a1bb44a5d372f64a4

226 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file is identified as malicious by multiple heuristics and an ML classifier, indicating a phishing lure. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to obscure the ultimate destination. The heuristic 'SE_MFA_LURE' strongly suggests the intent is to harvest credentials or abuse multi-factor authentication. While no scripts were directly extracted, the PDF structure and link farm indicate a sophisticated phishing attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
MFA / one-time-code harvesting lure high SE_MFA_LURE

Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ponafet.ru/award?keyword=ave+maria+guitar+chords+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4471985/normal_5fe77cfb36589.pdfIn PDF document text
- https://cdn.sqhk.co/nawafoxobok/jKVifhg/cosmic_showdown_apk.pdfIn PDF document text
- https://cdn.sqhk.co/xafemepino/ickyiha/pase_elite_free_fire_diciembre_2020.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369508/normal_600a266a6c20c.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4490272/normal_5ffb67f2058b0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4378855/normal_5fd77def5a976.pdfIn PDF document text
- https://cdn.sqhk.co/zudilubal/gc0gjjf/knights_inn_hotel.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4393754/normal_6031eec4ee937.pdfIn PDF document text
- https://ruvudiroxutorag.weebly.com/uploads/1/3/0/7/130775702/gulamevanijibup.pdfIn PDF document text
- https://lumitagejul.weebly.com/uploads/1/3/4/8/134887152/6145714.pdfIn PDF document text
- http://neriwozu.22web.org/windows_10_powershell_download_file.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/6a969f48-0bfc-415c-a07c-9918a2240a90/lavedupuxekozugusowebor.pdfIn PDF document text
- http://welerojiki.rf.gd/fufiwinidosuno.pdfIn PDF document text
- http://feputuwi.epizy.com/acquisitions_and_mergers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e9ef8811-2972-4459-a59f-7c0441b652e3/man_of_sorrows_chords_f.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/355cf9db-90de-4c36-b711-79eb932b6c57/venkateswara_swamy_govinda_namalu_telugu_lyrics.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/64c1c272-2719-433c-9664-9c7e3aa468dc/39270013696.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bf18b289-ac81-4023-8fe1-07a694181850/can_silent_hunter_3_run_on_windows_10.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c602.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC602	5584 bytes
SHA-256: `8a12b168ef24a87f122edb77342edbfe2864f1b920695cec07dcc41416925a2e`
`font_01_sfnt_off0000d8dd.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD8DD	10592 bytes
SHA-256: `77fdb87c66835c9a9d8f6dc674ddd1c5014c44405f0b0bb0fb29480675508796`

Open this report in the interactive analyzer, or submit your own file for analysis.