PDF malware analysis — malicious · 58e0ad3adbf95282

MALICIOUS

PDF

76.2 KB Created: 2021-03-09 01:10:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-20

MD5: 0207135fc57d7214388920fd2cea1ad8 SHA-1: ab18e915b208430c11e60b9d90735de4c2091ae1 SHA-256: 58e0ad3adbf95282ca6b23dca5e39a2b0f26155d5e10ebe10dcd14df0ee74965

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm. The primary malicious URL, https://vilenefex.ru/123?utm_term=informal+letter+english+spm, is likely used to redirect users to phishing or malware hosting sites. The ClamAV detection and ML classifier strongly indicate malicious intent, consistent with a phishing or malware distribution campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://vilenefex.ru/123?utm_term=informal+letter+english+spm PDF link annotation
- http://uggi-ugg.com/autoresponder_for_whatsapp_apkpurehlnhv.pdfIn PDF document text
- http://rawokixe.22web.org/mowov.pdfIn PDF document text
- http://nicepics.xyz/roziref5yfr.pdfIn PDF document text
- http://mavigawika.scienceontheweb.net/roxisimudijuradaxuz.pdfIn PDF document text
- http://nurigoluda.mygamesonline.org/how_to_grow_a_garden_in_south_florida.pdfIn PDF document text
- http://shop-you.xyz/the_selection_book_3_common_sense_media79s54.pdfIn PDF document text
- http://copyright-security-ig.com/the_castle_of_otranto_sparknotes_chapter_1bubo5.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/b030f7fa-7b29-4c18-8297-22785af786e2/17220139121.pdfIn PDF document text
- http://birelasali.rf.gd/sikafoxanove.pdfIn PDF document text
- http://sabiwilurase.atwebpages.com/html_css_js_learn.pdfIn PDF document text
- https://09ec9d85-9312-4337-94d0-b84080e05f2e.filesusr.com/ugd/ac0094_a8f731715fff4379b840e13a3fdc5b8a.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/cd153d6b-c6c1-4eb0-8f09-f57bfe024eb9/36229404571.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a29f2226-70ec-42f8-9796-6abc2e8d1cd9/4709398030.pdfIn PDF document text
- https://51f47fa2-20f7-4ec4-bb91-8ae4aee689b4.filesusr.com/ugd/917232_aa35822b2a4148d7ac55230c19716ac5.pdf?index=trueIn PDF document text
- http://vewawisu.onlinewebshop.net/beauty_and_the_beast_sheet_music_scribd.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/905b360f-f744-45c0-b762-13b64d78e7b8/78158730561.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b0762dfd-190a-48d8-828e-b049b39d4a7e/spongebob_kills_mr_krabs_worksheet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a12eaac8-c3ea-4553-a4ea-9ef887fac34e/zuvapegezubasonapanibi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/36d481ff-d3e2-4a4c-b6a6-7d0738149427/war_of_the_worlds_watch_online.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b54466f9-4fd8-4c6b-8add-b826beb889c2/pallet_jack_pump_repair_kit.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ee66.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEE66	5252 bytes
SHA-256: `198dd625849b7f2085b837b2a35d9174048aaa308509cc0483c7b20e45a65619`
`font_01_sfnt_off0001001b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1001B	10432 bytes
SHA-256: `35a48c74ee4d5ecd4d94cae60b0c6bb9efa4cf994f0855f1cae551b24cdf2000`

Open this report in the interactive analyzer, or submit your own file for analysis.