PDF malware analysis — malicious · 64ff417179e4c041

MALICIOUS

PDF

76.8 KB Created: 2021-04-06 08:11:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02

MD5: 422688dffb7a8cf8abbb96804cc5aa1f SHA-1: 3879f90e2934a04bd5e132bfcb553fbd24a87f87 SHA-256: 64ff417179e4c0418e0f65ce05b24d821ffd7042335e1731c6014efae034694f

194 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to disposable hosting, and is flagged as a link farm and a phishing lure. The embedded URL `https://seumenha.ru/123?utm_term=cgi+full+form+in+us+visa` suggests a pretext related to US visa applications to entice clicks. ClamAV also detected this as `Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0`, reinforcing the phishing and malicious nature.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://seumenha.ru/123?utm_term=cgi+full+form+in+us+visa PDF link annotation
- http://kigowamukidiba.iblogger.org/application_format_for_leave_in_company.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://74df6fe0-557b-4e47-8461-f2df536053d0.filesusr.com/ugd/4dcf4e_5e35cb35db9c4b4191ca3654a405fe7f.pdf?index=trueIn PDF document text
- https://84daacc9-7e90-4c5d-b1ed-526950900c49.filesusr.com/ugd/73f3b0_2cb36a4ecb064362838060812c27552e.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/padosumifubobo/dough_sheeter_for_sale.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8d3efce9-9e9c-499a-9a49-c18c848e1fc5/romojepowuxewutikaverib.pdfIn PDF document text
- http://muvebabivixa.rf.gd/molecular_geometry_worksheet.pdfIn PDF document text
- http://pebafuduzuxifa.rf.gd/nigukun.pdfIn PDF document text
- https://68420551-d949-41c4-975b-2ae86aa6d062.filesusr.com/ugd/09c3c7_8462f40e3b8c47acacd63d58ce81349d.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/laradusa/23260965333.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/58a67b2f-0309-4858-9971-0ff3dac54a0e/sinafezewonefome.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a84ae822-4b6d-4cfc-9126-7b3a357a0ba9/genesis_v2100_assembly_instructions.pdfIn PDF document text
- https://5c817321-7c0c-448b-959d-deb1da9fd788.filesusr.com/ugd/19103d_9ddc7b606bb24f6cac326cbec9e273d3.pdf?index=trueIn PDF document text
- http://zumepif.rf.gd/deminonapel.pdfIn PDF document text
- https://27158da8-170d-48ca-a528-b8ced62fe517.filesusr.com/ugd/9fc8c3_522049f44f994a9c9e59b7412a47027d.pdf?index=trueIn PDF document text
- https://8ab1a2d5-e5b1-44c5-a28c-e09959565f0d.filesusr.com/ugd/eb712c_cbab630e48c045c0a221883f39dff35f.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/fizup/55445825349.pdfIn PDF document text
- https://s3.amazonaws.com/semuxemakaw/46672168989.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2424cdc3-4a5e-4b72-8501-b3bdc125bfb8/fojet.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f11c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF11C	5052 bytes
SHA-256: `a2aebb7c63ee510ee4990fcc9713e185fe710d83eb63094f0b1bafc7b54ada21`
`font_01_sfnt_off00010241.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10241	10564 bytes
SHA-256: `8256c783147be06bc2199146c7acd245cc9ef22db53db7a037c278446d1e41ae`

Open this report in the interactive analyzer, or submit your own file for analysis.