PDF malware analysis — malicious · 66f4db0c5685b4c9

MALICIOUS

PDF

79.2 KB Created: 2021-04-16 11:01:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23

MD5: 5f783f697c15a5fea7eefdd110f93f5d SHA-1: cbae34a6e0d47b68e493ee89d7b4fc63b2455e2b SHA-256: 66f4db0c5685b4c98256bb3e96b463470c8aa005ce1758bfdb67e4478ffa553d

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document was flagged by ClamAV as 'Pdf.Phishing.Trojan' and ML classifiers indicated a high probability of maliciousness. It contains an embedded URI pointing to 'fokemale.ru', which is likely a phishing or malware distribution site. The PDF structure also suggests it's part of a link farm on disposable hosting, further indicating malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://fokemale.ru/strik?utm_term=do+movado+watches+go+up+in+value PDF link annotation
- https://static.s123-cdn-static.com/uploads/4455881/normal_6000adfa54337.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4386330/normal_5fc87221bae87.pdfIn PDF document text
- https://cdn.sqhk.co/fevivesuxofo/agdgdhe/loxakurafufalesuwimipitiv.pdfIn PDF document text
- https://cdn.sqhk.co/dejowipapoli/jhhe6IE/17559424585.pdfIn PDF document text
- http://autobuff.xyz/neneraworopekapepudatid6j6yh.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4392439/normal_60317226c1beb.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426423/normal_600ff61bee5a8.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4406208/normal_605d237664c00.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4379385/normal_5ff4d5878ad74.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4408170/normal_6031361a961ad.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4459479/normal_5ffd3e0e6cb77.pdfIn PDF document text
- http://egrn-order.online/milwee_bell_schedule53nt4.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4459805/normal_5ffda7736928a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4444884/normal_603115df43729.pdfIn PDF document text
- http://kudretbozaci.com/42908506516bzza4.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://f7f2eb1f-4ce6-40bf-b337-6bcc2c9c1a95.filesusr.com/ugd/dc6899_8eefdf42fcac4e5ebc513ea90a40e7a6.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/cd273538-943c-428e-b891-3f29fc317a03/sulotexiwufu.pdfIn PDF document text
- https://70fbc5f3-53e4-4072-9ff7-a5862d19847b.filesusr.com/ugd/bb3bf9_c2c623011f2f4c6ca0cf0cbda2acf0da.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/d63820a4-5762-4f79-9e6c-84d7e6bcea10/obama_free_healthcare.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4a4e12be-e95d-476d-9498-2106a349f6c5/what_do_i_do_if_i_lost_my_p_ebt_card.pdfIn PDF document text
- https://ee42ee57-4547-4a8c-8a66-6cccb7f6869d.filesusr.com/ugd/2a9ad2_cd8f6cc8b25043df97efc5d9d453b524.pdf?index=trueIn PDF document text
- https://db244590-af71-4c33-bd6e-2f8f55f31281.filesusr.com/ugd/fdab61_ed673aa8c8fc43fd8ca65bf79162c94a.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/734baca7-88df-4596-9030-11a7116b7455/56942709581.pdfIn PDF document text
- https://8eccd3b7-fb20-4588-a5b5-4d8c58591879.filesusr.com/ugd/0e6328_e7b76cb0088c473b9a8b7ac4b333f722.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f56c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF56C	5540 bytes
SHA-256: `09da2f727f8b35e161664987550ca843bbc92b44c46f0dcef1625eaad4ac49a8`
`font_01_sfnt_off0001083e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1083E	11360 bytes
SHA-256: `551353e337041e228fb6c80716afc48a4e02323651bb59cb70b6212cd2e06270`

Open this report in the interactive analyzer, or submit your own file for analysis.