PDF malware analysis — malicious · 5d7ff416ee2a9343

MALICIOUS

PDF

70.9 KB Created: 2021-09-14 12:06:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26

MD5: fa376ef31106dc17071aa60c9b368c7f SHA-1: ba0062543d19fc378756181aec846f8a4510f7f5 SHA-256: 5d7ff416ee2a934364147ccf1237fd0b3733f318043b49343f28cbe037c08616

134 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded JavaScript and numerous external URIs, many of which point to disposable domains. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a high likelihood of this document being used to host a large number of links, characteristic of phishing or malware distribution campaigns. The ML classifier and ClamAV detection strongly suggest malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://daaeportrett.no/upload/file/8940891890.pdf In PDF document text
- https://www.nstoplana.rs/ckfinder/userfiles/files/33858649726.pdfIn PDF document text
- https://burgas-remonti.com/userfiles/file/pazatuxadulageda.pdfIn PDF document text
- https://bouveau-consulting.com/userfiles/file/65828305257.pdfIn PDF document text
- http://maroba-zirndorf.de/file/62875977847.pdfIn PDF document text
- http://saint-party.com/media/file/22449712559.pdfIn PDF document text
- https://trsbarriersdirect.com/wp-content/plugins/super-forms/uploads/php/files/gadibsq48daqh5ctasqeu8qrmk/35596138239.pdfIn PDF document text
- http://sskj.pl/userfiles/file/zasuzutadizujodelivini.pdfIn PDF document text
- http://cloudinfo01.smartevolve.com/images/ckeditor/files/72766967800.pdfIn PDF document text
- https://newtop-eg.com/userfiles/file/rusumukolukufomekotev.pdfIn PDF document text
- http://www.dgtrans.co.th/login/ckfinder/userfiles/files/38875010961.pdfIn PDF document text
- http://xn--9i1b14lzokxjcrti5um.com/upload/fckeditor/file/94152664917.pdfIn PDF document text
- https://certifiedmoversinc.com/wp-content/plugins/super-forms/uploads/php/files/ecb8bb127d08f0b797578ba80152e329/buzafasebopaxefiwofevafox.pdfIn PDF document text
- https://walterchiropracticclinic.com/home/walter/public_html/ckfinder/userfiles/files/26877891307.pdfIn PDF document text
- https://fundreamz.com/ckfinder/userfiles/files/79029965872.pdfIn PDF document text
- http://www.llmhospital.com/www/js/ckfinder/userfiles/files/82605860980.pdfIn PDF document text
- http://exosushi.com/uploads/files/78844820602.pdfIn PDF document text
- https://rumahbaruku.com/contents/files/meziwosevu.pdfIn PDF document text
- http://gunjanjain.com/app/webroot/js/uploads/files/93334708292.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/fzgW7-mxBc0/uplcv?utm_term=20k+house+bloxburg+2+storyPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b34d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB34D	10720 bytes
SHA-256: `e265ea4ff407a54b72ce67d89516784d643b84f8e004722ddd40c32e1b57c846`
`font_01_sfnt_off0000cc32.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCC32	16852 bytes
SHA-256: `5736afd44eef2608d143ecaacc4b3445ad31f0381813406197308a8d790b00b7`
`font_02_sfnt_off0000f6c7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF6C7	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.