PDF malware analysis — malicious · 5b643d0e490ee1b2

MALICIOUS

PDF

69.6 KB Created: 2021-03-31 19:15:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: eeb999b51beb3ef16bfdceee69807e36 SHA-1: e59e40d2ad1b58694a7fb781358c2923e7b83244 SHA-256: 5b643d0e490ee1b21ce1b3098a3a7917c4290f53a774b9d0c2427c89e646befd

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ClamAV and an ML classifier. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to potentially malicious content or phishing sites. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic indicate an attempt to obscure the true destination and potentially distribute malware or facilitate phishing campaigns.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 6

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://vilenefex.ru/strik?utm_term=the+tin+forest+planning+tes
- https://medekokimezud.weebly.com/uploads/1/3/4/7/134748457/a4fbb2901.pdf
- http://fibisazorowax.mypressonline.com/seseboguzidimubaxoza.pdf
- https://static.s123-cdn-static.com/uploads/4491451/normal_5fc9fa3a6ec07.pdf
- https://mimedotaxejibi.weebly.com/uploads/1/3/0/8/130873786/vonaralopuf_vinutuzedotevif.pdf
- http://vukufitu.mywebcommunity.org/atlanta_nights.pdf
- https://xomugiwonin.weebly.com/uploads/1/3/4/2/134266294/mikum-tikanedezusumul-divuko.pdf
- https://wotipufa.weebly.com/uploads/1/3/1/0/131069738/zowobodulas.pdf
- https://cdn-cms.f-static.net/uploads/4378619/normal_60603db1046ce.pdf
- https://giwirakixa.weebly.com/uploads/1/3/3/9/133999144/7143012.pdf
- https://cdn-cms.f-static.net/uploads/4366319/normal_604cc0f92f34b.pdf
- http://kemutedetabu.scienceontheweb.net/danulalavimizedemom.pdf
- http://mavaxur.mywebcommunity.org/tavozad.pdf
- https://cdn-cms.f-static.net/uploads/4488133/normal_6044e75c8d6fe.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://f8d82b49-d438-4da2-b906-f876cb6fe635.filesusr.com/ugd/12dc78_5531c7d6ad954135b8849735ad6667d6.pdf?index=true
- http://vejegaba.atwebpages.com/how_to_reset_corsair_k95_keyboard.pdf
- https://51da6a7d-ee05-4a49-87ee-1b74af3aeb07.filesusr.com/ugd/b80405_82f4f89f5a984bde9adcdebb03547a61.pdf?index=true
- https://1c8fadd7-09eb-4d2b-9d42-8e747ba5ce52.filesusr.com/ugd/60625b_fb53a8ca05834bebaaafcd0eed7350dc.pdf?index=true
- https://90ff81fc-98d9-4e53-96a3-aaa5c1c2042e.filesusr.com/ugd/bb5aff_e02b0787ed934326bb717a9c2de887a7.pdf?index=true
- https://uploads.strikinglycdn.com/files/69b84b64-e786-4742-8fc1-1d046dde663e/84944897212.pdf
- https://uploads.strikinglycdn.com/files/b394d7cb-56d7-4cf0-8ca0-316cd876494e/tapulagovixajabeki.pdf
- https://4ac36a2f-1533-488b-b282-cf34cdace458.filesusr.com/ugd/bcfc12_0c4178d38d9346ec922c5aa66a2c9fd8.pdf?index=true
- https://uploads.strikinglycdn.com/files/77cb753d-3f07-4ed0-9335-4a4c07180bd7/proc_univariate_histogram_bin_width.pdf
- https://0ea28b16-58c2-472d-b6be-3e97fe9b7bb6.filesusr.com/ugd/696b8a_529404529a96480fae9b225cfb4bca42.pdf?index=true
- https://2f60c0de-bae8-48d8-8f3f-ce7907f87c52.filesusr.com/ugd/badafb_c236dbffd5854b53862775de558694e2.pdf?index=true
- https://18e99e0c-7034-4a8c-9069-267580a295b8.filesusr.com/ugd/b337f5_8dcb6c26f9e240dca88f705c954f30b6.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d3e5.bin` `b7628f0ae01f3b85d426fa0a160c8e17b98238266ff8d577dd5c891b031cfb37`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD3E5	5112 bytes
`font_01_sfnt_off0000e548.bin` `9caa16f768e7961e396913aba0fb0f4e1b547f026709524533134cea5ff8f2f9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE548	10004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.