PDF malware analysis — malicious · 5a9247fff44696e4

MALICIOUS

PDF

81.4 KB Created: 2021-03-29 02:01:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27

MD5: d86b6265b3ec570cd25515f391936242 SHA-1: 5fbf6595fbc10d53fe31382b7f0765a2f1e0fa90 SHA-256: 5a9247fff44696e4f4da7c11d15acbb0a22e8f12c01c067a04a2ffd52e047292

246 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The sample is a PDF document that contains a large number of external links, many of which are hosted on disposable domains, indicating a link farm. A critical heuristic identified a brand-impersonation credential phishing lure, specifically impersonating American Express, and points to the redirector URL https://jitavemalidev.weebly.com/uploads/1/3/1/8/131871699/palejoz.pdf. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH

Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://jitavemalidev.weebly.com/uploads/1/3/1/8/131871699/palejoz.pdf.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jottigo.ru/award?keyword=pictionary+cards+easy+pdf PDF link annotation
- https://cdn.sqhk.co/rorezina/lgjRhih/8378427408.pdfIn PDF document text
- https://cdn.sqhk.co/voxedifi/heibhi4/abrsm_uk_exam_entry_form.pdfIn PDF document text
- https://jitavemalidev.weebly.com/uploads/1/3/1/8/131871699/palejoz.pdfIn PDF document text
- http://salizurewaki.mypressonline.com/artificial_intelligence_journal_2020.pdfIn PDF document text
- https://cdn.sqhk.co/rolileduvof/ajjLghN/68517404282.pdfIn PDF document text
- https://vobasonuniba.weebly.com/uploads/1/3/4/6/134668907/109d20e241a11fe.pdfIn PDF document text
- https://cdn.sqhk.co/besudamuge/fgj0znP/word_pets_game.pdfIn PDF document text
- http://therarbooks.com/word_breaker_appx8tfh.pdfIn PDF document text
- https://cdn.sqhk.co/zarejesorufo/iifhjWo/sculpt_3d_model_free.pdfIn PDF document text
- http://santecmb-sarl.com/what_are_missguided_shoe_sizes_likerarud.pdfIn PDF document text
- http://lubevos.scienceontheweb.net/dakotagumivax.pdfIn PDF document text
- http://noxogejukebe.mypressonline.com/neonatal_jaundice_nursing_care_plan.pdfIn PDF document text
- https://cdn.sqhk.co/fefamuve/iiNk7YF/31754748397.pdfIn PDF document text
- http://wwbook.org/blank_page_picqsgrw.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://wuwedilejom.myartsonline.com/trumpet_music_free.pdfIn PDF document text
- https://s3.amazonaws.com/mukut/ambarsariya_music_ringtone.pdfIn PDF document text
- http://mixezized.myartsonline.com/exercices_cercle_trigonomtrique.pdfIn PDF document text
- https://s3.amazonaws.com/gopuze/double_down_meaning_slang.pdfIn PDF document text
- https://s3.amazonaws.com/fedufiporara/dexuzufiduker.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010043.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10043	5220 bytes
SHA-256: `dbdd6c1e842b752f01238bb7ddc0470f02eee5a1f730830294f9ac637011a28a`
`font_01_sfnt_off0001121d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1121D	11288 bytes
SHA-256: `a2d6683aa0c82be7cdc69ef9a2174cfc7e705290f3674831429458d35fe0cab1`

Open this report in the interactive analyzer, or submit your own file for analysis.