PDF malware analysis — malicious · 59401b4426b14e74

MALICIOUS

PDF

75.4 KB Created: 2021-03-17 05:54:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-28

MD5: 50b131548c98d8186acfd4d5ce816ae5 SHA-1: eacc4932cb58097292a7456275053d8d201da79f SHA-256: 59401b4426b14e743fc0652852d241f3f5d2989c1d9c2f8e67e00cc49525b3cf

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a significant number of external links, suggesting it functions as a link farm designed to redirect users to potentially harmful websites. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic strongly support this attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://midufefew.ru/wix?keyword=what+does+muck+fire+do PDF link annotation
- https://cdn.sqhk.co/mowanideju/rfkIiaV/4278210843.pdfIn PDF document text
- https://cdn.sqhk.co/bimowikosaru/eKhjgfd/laridusatokinutore.pdfIn PDF document text
- http://dakixofib.22web.org/vazowemufegeputakarijabo.pdfIn PDF document text
- https://cdn.sqhk.co/mojuzizimu/jeZpTjg/swing_manager_mcdonald_s_duties.pdfIn PDF document text
- https://cdn.sqhk.co/jogepirar/hb1oscA/pubg_gun_sound_message_ringtone.pdfIn PDF document text
- https://cdn.sqhk.co/loberutebe/ieY3ibo/62269623629.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://679cd94f-bb1f-411a-9684-d99498fe93d6.filesusr.com/ugd/ce16d4_3e76ca0d0cff4e1e97942a5790137c92.pdf?index=trueIn PDF document text
- https://fccd5518-64e1-462d-9dbe-8d8d8a19ca7a.filesusr.com/ugd/eb005d_6383c261a2c2453cbe3d1e302cf6924c.pdf?index=trueIn PDF document text
- https://add83a7c-0e31-48b3-928b-061d82ba9144.filesusr.com/ugd/205ae4_fd0a04eebc224347a925262dc60c136f.pdf?index=trueIn PDF document text
- http://vupudogexuvowub.epizy.com/79949467598.pdfIn PDF document text
- https://4dd4a32c-aced-41d2-87e6-7ff9ca8080d7.filesusr.com/ugd/6d6f33_4ba7bc2025fb42dca15c48e48b7362d4.pdf?index=trueIn PDF document text
- https://b84c3727-5d5a-4c5d-9d5d-21cac87b3a69.filesusr.com/ugd/fdd6c2_1993ef28bf6748c187c522428cd6de61.pdf?index=trueIn PDF document text
- https://6762652a-e869-40f3-960d-1446d4066230.filesusr.com/ugd/55e6b1_2439f85fab974c2ea1c6e7ebce41b57a.pdf?index=trueIn PDF document text
- https://8c56b32b-3398-45d6-9c0b-b55146621f16.filesusr.com/ugd/6924eb_3f3bdaef574f407293dcd0e49ed2c77f.pdf?index=trueIn PDF document text
- https://27420876-d215-4860-9a72-f48db0d0c320.filesusr.com/ugd/4062c2_b2afc274bfbc4bb192f473752192a3a9.pdf?index=trueIn PDF document text
- https://92ddf5cc-4ce7-4caf-b117-8241c553a727.filesusr.com/ugd/42bae0_2811fe034b4746668ee9df63a3d8c4e1.pdf?index=trueIn PDF document text
- https://eaa62ee9-779c-4a2d-9f50-6c66b019a99c.filesusr.com/ugd/1cc777_9cf089909e124a85b4ff6e4b36783073.pdf?index=trueIn PDF document text
- https://8b2103c5-345b-48fd-98e3-f19c90c4efd0.filesusr.com/ugd/0e2875_5be8c9679db34deb9f9bff510f3576ca.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ea8c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEA8C	5304 bytes
SHA-256: `16260cdeebbbd2d46f532cc04f9c3da2cd82908102ca2956d1bce996fc372a3c`
`font_01_sfnt_off0000fc7f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFC7F	10620 bytes
SHA-256: `279d3d19745b631d2c6b099a1a38bfd3d11ebf4d6b4d4ba0e0e684f3b2e8907e`

Open this report in the interactive analyzer, or submit your own file for analysis.