PDF malware analysis — malicious · 5f7a95eb1fc7315d

MALICIOUS

PDF

78.7 KB Created: 2021-04-08 19:36:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22

MD5: 75f4a25976a42e3bacdb8e08e4c9714e SHA-1: 9addcbf015990e64a6b982ae7d48ef8968ad3d63 SHA-256: 5f7a95eb1fc7315ddd848c880f8263468fb5884d8aef772fd7f8a10d7438e678

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://yafferge.ru/strik?utm_term=verb+tenses+english+exercises+pdf'. This URL is likely used to lure the user to a phishing or malware distribution site. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of a malicious URL in a PDF is a strong indicator of a phishing or malware delivery attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://yafferge.ru/strik?utm_term=verb+tenses+english+exercises+pdf In PDF document text
- https://cdn.sqhk.co/tuxonewebuke/gifGgix/45309455501.pdfIn PDF document text
- https://cdn.sqhk.co/dofexoxev/fgvjbhc/geo_bookmark_apps.pdfIn PDF document text
- https://cdn.sqhk.co/fovulifavu/bKWijia/birifeg.pdfIn PDF document text
- https://cdn.sqhk.co/mesodimeduje/fhdTjay/kujuzaradezuxuwifepe.pdfIn PDF document text
- https://cdn.sqhk.co/pejibuti/fjjlidM/vshare_app_for_ios.pdfIn PDF document text
- https://cdn.sqhk.co/balaragu/didTY6r/keniwitoritavipamutalot.pdfIn PDF document text
- https://cdn.sqhk.co/fugovigul/hihsugj/evoland_walkthrough_forbidden_lake.pdfIn PDF document text
- https://cdn.sqhk.co/tefozakozup/djfvGie/ubisoft_game_launcher_pc_download.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/ac8a7005-196e-48f7-8133-7738a401905f/gta_san_andreas_superman_mod_cheats_codes_pc.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a11444bd-ebfd-4b0f-b411-591991fc33e8/how_to_measure_performance_in_healthcare.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aaa59f92-2398-41ea-85da-afa952760b30/39077586362.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/da1cd9ce-aa1b-4f3b-92af-944391ece5c1/pozotomisenugelikiw.pdfIn PDF document text
- http://wubezirinipo.epizy.com/nikisesariz.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/809b4ccc-8d41-4a9e-9b55-f41b618decf7/arrowood_golf_course_membership.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c742c1dc-b617-4942-aa25-490b599a2267/powovibavumi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/012df3e4-9afd-41cf-a904-48f61bf9d050/73656401384.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ebebdb2f-b716-462f-9b65-701b7012b669/79329063638.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d700941e-90db-461e-9055-ab3ac9bb7ea0/bipokaxuzazalotokox.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dfb48618-c8fd-46c7-85b8-c34420678100/wekegor.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8bd565ac-9b8a-4ea6-82e5-3f665b7e39b2/day_trading_and_swing_trading_strategies_for_stocks_freecoursesite.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0dfcadfe-917d-49f2-874b-b95ca10f79ce/what_city_in_the_us_has_the_most_colombians.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/53b7ba8a-7505-4561-94db-9c97f5377ec8/because_of_mr_terupt_dra_level.pdfIn PDF document text
- http://dikedelunok.rf.gd/makeup_tutorial_for_dark_skin_beginners.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0a257ad6-f37c-454b-8d8e-e20e73527b9d/2872785389.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f63c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF63C	5380 bytes
SHA-256: `0ba17bd1c2b8b4b77e186ef974f4b142be299ad99579f142a32f7912cea44f4d`
`font_01_sfnt_off0001088e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1088E	10676 bytes
SHA-256: `bf997ea97b9e39101b4f5c2c50b9995b885d84dc9b7b2d696fd5801e3ce118c5`

Open this report in the interactive analyzer, or submit your own file for analysis.