PDF malware analysis — malicious · 57dfc666954d7af1

MALICIOUS

PDF

85.6 KB Created: 2021-03-09 00:07:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26

MD5: a1a9e7c5c22275cf6ca03b8146f7f1e7 SHA-1: d99ba4ab755d18737e153c173848c937203c969f SHA-256: 57dfc666954d7af1e3769a9eba436eb54f59138e5040e27d7c8a4aa033ccf3c7

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many hosted on disposable domains, suggesting a link farm designed for SEO manipulation or phishing. The primary URL, 'https://xezojetit.ru/wix?keyword=recovery+account+password+facebook', indicates a phishing attempt related to account recovery. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xezojetit.ru/wix?keyword=recovery+account+password+facebook PDF link annotation
- https://cdn-cms.f-static.net/uploads/4492574/normal_602eecbc19ee0.pdfIn PDF document text
- http://marketitaly.info/gituxikelanakurudjfw7l.pdfIn PDF document text
- https://cdn.sqhk.co/zudilubal/Uidlija/torque_burnout_unlock_all_cars_apk.pdfIn PDF document text
- https://cdn.sqhk.co/baxoladipezu/8hbKyNK/16041987695.pdfIn PDF document text
- http://keepsufi.space/61025145483muv05.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4379605/normal_5fe74bc3aa615.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4447649/normal_602e33b2237d9.pdfIn PDF document text
- https://cdn.sqhk.co/kajurineg/jb37jbU/super_vpn_for_pubg_mobile_download.pdfIn PDF document text
- https://cdn.sqhk.co/labifikup/Ygjjohh/bexaxotimomuvivavavexof.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/50dc6063-2bb9-4551-a517-fd0b13a4e93e/nescafe_dolce_gusto_coffee_machine_instructions.pdfIn PDF document text
- https://13adc596-845f-4f4a-b539-e2c04a0a4b5a.filesusr.com/ugd/6e2da7_0951567d51f746b394491584bb6320f5.pdf?index=trueIn PDF document text
- https://2863666b-9d79-467d-9aad-9eeb6dafbdf2.filesusr.com/ugd/6ee3eb_8d8e0e8e03de4fff96fb36276c18f5ba.pdf?index=trueIn PDF document text
- https://e114ad41-1367-46fe-a5fd-427bf640f69d.filesusr.com/ugd/a63c55_bbc1f55443574a39b8e617c0f21c4ec3.pdf?index=trueIn PDF document text
- https://7c9e9c40-2b96-4f88-8065-b5ff5e495659.filesusr.com/ugd/3bfcae_855b334c18a34d02ad60b05f2e533218.pdf?index=trueIn PDF document text
- https://6ce95562-7558-49ee-a7b0-b3003db3b0e9.filesusr.com/ugd/d13e1f_60d1798b72d34a9fb01743add7f06398.pdf?index=trueIn PDF document text
- https://5b3fc17b-a4fb-4144-9a53-ff617e35bc6a.filesusr.com/ugd/696117_ef3d40838a534bb1a339066e25402d69.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/0e1222d1-7a1a-4db3-b286-4c291dfe9791/11363484992.pdfIn PDF document text
- https://6cb1c90e-07cf-4522-b85d-4edd8abc33c8.filesusr.com/ugd/0c41e7_e7681e461bc64fcd84895f7d3e2bec23.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/cf18ca60-a73b-4daa-a378-25d60e877f82/wopajepugikivaminejo.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010716.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10716	5584 bytes
SHA-256: `ebd16e2922d6f8634c408bf977037fd139d22b3bc6216abb88738706b6693c8c`
`font_01_sfnt_off00011a3e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11A3E	14724 bytes
SHA-256: `3c46bf3648e0ea2ed30669325cef22cdfbd946bd04a52b3d716694570728c7a2`

Open this report in the interactive analyzer, or submit your own file for analysis.