PDF malware analysis — malicious · 6042f41a9f3c2c05

MALICIOUS

PDF

111.6 KB Created: 2021-03-11 12:09:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 64081b18b45c8c1a57458e2ac1e1d9e2 SHA-1: 78b6d888029d3425b942f0f7142f46580ccf3898 SHA-256: 6042f41a9f3c2c052606b73d1844d008e87510cf6953724bbf94cb5c4acca6e6

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a malicious intent to direct users to potentially harmful websites. One such link, 'https://resalured.ru/123?utm_term=please+answer+me+1988', is directly embedded. The ClamAV detection and ML classifier further support the malicious nature of this PDF, classifying it as a phishing trojan.

Machine Learning

Nyx PDF Classifier malicious score 0.9977

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://resalured.ru/123?utm_term=please+answer+me+1988
- https://cdn.sqhk.co/gujowaxexag/hwOOK4n/download_meteor_hammer_io_mod_apk.pdf
- https://cdn.sqhk.co/mepofazobi/hhlVicC/servers_for_minecraft_pe_1._14._1.pdf
- http://ontrade.top/bojibegogafelogahtqn3.pdf
- https://cdn.sqhk.co/wepuvumug/hhmhjjj/zitolujezusulajabeka.pdf
- http://tikovg.xyz/239628767614mlfr.pdf
- https://cdn.sqhk.co/kufedefivuvu/dhija6o/jolirabogalufexe.pdf
- https://cdn.sqhk.co/giwumazusew/QmNichj/swot_analysis_of_a_construction_company_example.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/122c238c-08b0-49f9-8a8f-83b56e0a55fc/do_you_need_an_adapter_for_xbox_one_turtle_beaches.pdf
- https://uploads.strikinglycdn.com/files/91f2a944-2395-4de4-a37c-5b6f4e1babb1/44054814023.pdf
- https://51bf459c-6b46-41b0-863f-532cf8a77e0d.filesusr.com/ugd/2eedf1_5293fd2d3ee0460fa6d06ee5ec78098d.pdf?index=true
- https://uploads.strikinglycdn.com/files/26c56bd8-8fe2-403d-a99c-d40fa57d2c14/bhagavad_gita_chapter_1_summary.pdf
- https://uploads.strikinglycdn.com/files/5d4e75e3-c996-402e-a358-62500df72b03/57098154409.pdf
- https://uploads.strikinglycdn.com/files/a42830d8-1dc5-49f0-bf80-ac2f7918a4ae/doterra_essential_oils_product_guide.pdf
- https://uploads.strikinglycdn.com/files/0193ec3d-d965-4175-bb04-f5b9c8de7aff/48638204164.pdf
- https://uploads.strikinglycdn.com/files/0f9d6045-4df1-43c4-bf58-489c683f52e5/probability_and_statistical_inference_solutions.pdf
- https://uploads.strikinglycdn.com/files/440176b9-95c2-4784-9c29-5a1d5a7767ef/you_should_as_well_meaning_in_urdu.pdf
- https://uploads.strikinglycdn.com/files/64d6ae15-39da-48d2-a8ae-2619f6d10882/rc_axial_scx10_jeep_cherokee.pdf
- https://uploads.strikinglycdn.com/files/fb7c0335-26fd-4034-9960-f965654939f9/53704463097.pdf
- https://uploads.strikinglycdn.com/files/c5dd434e-ec34-41eb-b0dd-e1755d5a54d5/what_is_the_easiest_forex_strategy.pdf
- https://b3d988c2-7a7d-4c3c-9141-221b6550481e.filesusr.com/ugd/9dda13_d54fabe605144f29b451a4651507dda4.pdf?index=true
- https://uploads.strikinglycdn.com/files/3b9242fa-933d-468f-b258-f4ce1939219a/50234590345.pdf
- https://237a2310-9536-43ad-add1-fe73b840a51a.filesusr.com/ugd/8b319d_bbdeedbebf5e430f881d76ebf68d6815.pdf?index=true
- https://uploads.strikinglycdn.com/files/b3f25c43-ff05-4738-abaa-8e8c09b8032e/jesefe.pdf
- https://97e6e6c8-040d-427c-ad66-6ef02350ae38.filesusr.com/ugd/9c523c_918a08a31da347668a9e7295431c6bdb.pdf?index=true
- https://43a2ba88-5de9-465b-b95f-6a4d82f2d06e.filesusr.com/ugd/dcbeda_ae30db517c6943e3898eda451daf4ba8.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00012700.bin` `2bfa80643a1d9a80503ca394293435bc80cd0a52f5b1e59d2c64fafb4b086b9a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12700	20252 bytes
`font_01_sfnt_off00016214.bin` `cb32f63b4ce9abf5073a6c6a065bc1e932c72df2427ab34249cc45f9dbfe7ca7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16214	5324 bytes
`font_02_sfnt_off0001742b.bin` `5c78b57ae2932de8934fd4bfd4cdca489a156fe958dfdd3888428cd66f56938f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1742B	11468 bytes
`font_03_sfnt_off00019b80.bin` `9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19B80	16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.