PDF malware analysis — malicious · 682bad625cd64099

MALICIOUS

PDF

65.5 KB Created: 2021-04-08 17:01:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d12c8ee8ba78f1ba4d139cc53b59992e SHA-1: b7496ffd2fa8bc3eee2c8e254a60fbd0fd96e06e SHA-256: 682bad625cd640999241fdf139b5ae17e889722dcc56bbafb0fb7719452e427b

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and ML classifiers, indicating a phishing or trojan threat. It contains numerous embedded URLs, including one pointing to 'bologen.ru', which likely serves as a lure to a malicious site. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' suggests the PDF is part of a link farm designed to redirect users, further supporting a phishing or malware distribution attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.8702

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://bologen.ru/strik?utm_term=hands-on+machine+learning+with+scikit-learn+and+tensorflow+book+pdf
- https://cdn.sqhk.co/benibavagoge/eURhc2C/social_media_viral_video_bihar.pdf
- https://cdn-cms.f-static.net/uploads/4383170/normal_6044f4bfeb12f.pdf
- http://mebets.xyz/por_que_me_crecen_las_uas_hacia_abajo05kbs.pdf
- https://cdn.sqhk.co/sisadenev/smgjv2D/predator_350_essential_fishing_rod_set.pdf
- https://static.s123-cdn-static.com/uploads/4481163/normal_6006478796ef5.pdf
- https://static.s123-cdn-static.com/uploads/4445341/normal_5ff63822a8d23.pdf
- http://zeropium.com/tizemepekupabok04o7s.pdf
- https://cdn.sqhk.co/jipuxoxukul/l8igFij/rejuke.pdf
- http://899themes-demo.ru/apollo_twin_solo_duo_differencegsmqa.pdf
- https://cdn.sqhk.co/nibidawe/Tgdp5QG/37057487681.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://61df3396-90b5-4b69-a3ae-475c9da6ebc5.filesusr.com/ugd/516574_4a0901ea873e439c8f081781ae51efa3.pdf?index=true
- https://932aa67c-856a-4fda-9fc8-fe3f50d4acc2.filesusr.com/ugd/a25eee_6db3df76cdd6464ba8a0e6525bfaabed.pdf?index=true
- https://78de399b-5cb1-4d05-8290-e7933402b20f.filesusr.com/ugd/10f998_0d43b2cc91394f4898441b4f0a9c357a.pdf?index=true
- https://14da0a27-f261-4d4b-8668-3a369f5c966d.filesusr.com/ugd/46429b_002919f3b97c4fa284b9784a7c1c4eb0.pdf?index=true
- https://eaae50f7-3b1c-4f1b-9b3c-e2a48377569d.filesusr.com/ugd/b96e41_1fb9763bbf7646999a85b2032c775a2e.pdf?index=true
- https://75e6d08a-b14f-4c2c-bd4e-3e6431d9d11c.filesusr.com/ugd/497a87_1c9c78af24ce45a29c6adb174b11aa3e.pdf?index=true
- https://6363ce23-9394-4102-a476-7be320345719.filesusr.com/ugd/7c41c1_d89767025d8b4d6782bbd7f4471f0c6e.pdf?index=true
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e19e.bin` `b90fbc46fc356a3a19fe888d111022c3e0fd41156ba923cc2a214f4d2a84850d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE19E	5856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.