PDF malware analysis — malicious · 6d76abd2af720780

MALICIOUS

PDF

73.3 KB Created: 2021-04-25 00:49:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10

MD5: cdc664a63b551a4e16f1917407c69f95 SHA-1: fd3c6a6fe78d8eb28bf54a8ee43d707495e1479a SHA-256: 6d76abd2af720780877dd69e53f30b5444c324ee746ea03ebe9dc17f59c9686e

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing operation. The document body, though heavily obfuscated, appears to be a lure related to autoclave troubleshooting, directing users to potentially malicious URLs.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://kuzutuzo.ru/strik?utm_term=midmark+m11+autoclave+troubleshooting PDF link annotation
- https://static.s123-cdn-static.com/uploads/4501810/normal_5fc725da5bdbb.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4419413/normal_606646e753e22.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4493891/normal_60313a6ebcdb4.pdfIn PDF document text
- http://salonhq.xyz/50978516139iz84s.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4460447/normal_5fcf118e5e62b.pdfIn PDF document text
- http://smartbright.club/war_as_i_knew_it_full_book_free_download083nz.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4421966/normal_604dd70187d9d.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4384831/normal_5ffe9a7c6f68a.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://7648721b-06f4-4917-9c2a-921156fbbd07.filesusr.com/ugd/a7266c_08ea0481afff4667b519ece80847b73e.pdf?index=trueIn PDF document text
- https://f87ce62f-3d5d-4c42-bff3-2e7d00444551.filesusr.com/ugd/72ed28_55dd5d80eea04fb98af3f88d64aa8382.pdf?index=trueIn PDF document text
- https://d128792e-e0a8-46e0-98ed-b941f5da69b2.filesusr.com/ugd/b98abb_e1e743d147e34857b34a062c8dbf8b74.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/101f3c56-7b15-41e4-9751-4203068baf93/hisense_portable_ac_remote_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/78b4cdf2-c7aa-4211-8827-880a6a2e6637/24343278658.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b0328ed-79cd-49f6-bd5b-8f475b5d3784/how_to_adjust_polaris.pdfIn PDF document text
- https://3a00e800-a8eb-44ae-aafc-ae9aecab8e06.filesusr.com/ugd/1715bf_7a262fa6047b4ce786ff74349564f52f.pdf?index=trueIn PDF document text
- https://cad90261-f038-4e8a-b384-2e0e37e6cb8c.filesusr.com/ugd/4c4e45_f8139ef227104714a5f0c3efb88cc54f.pdf?index=trueIn PDF document text
- https://60f6da8c-824c-4163-aae9-6195f2ac7ed4.filesusr.com/ugd/7f16bd_caa08aec5fa24d61b2ce5ccbdbdba484.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/bb3e6126-3735-4835-8ed8-49442f474d31/what_can_i_make_with_shredded_cheese.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000df6a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDF6A	5672 bytes
SHA-256: `e47d0da4adfb34f7db2e697bf232792eb9541dc2b4892cd84ff68d5c5ce51a4c`
`font_01_sfnt_off0000f2a0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF2A0	10380 bytes
SHA-256: `3021c7ca6f9aa9d5007ebd66a6cab769a72dcec3513bcd4b59fcaf275ab57ce9`

Open this report in the interactive analyzer, or submit your own file for analysis.