PDF malware analysis — malicious · 6e106c3ebb5ccd65

MALICIOUS

PDF

81.2 KB Created: 2021-04-18 03:48:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22

MD5: 4ca82177e84832624da5c1dea44da02a SHA-1: 0c876ff5afc3d266c0e550ea1cdf7069522d3209 SHA-256: 6e106c3ebb5ccd651c0f01a42d9570dfebfedcdd31089a7b61116723ec16dcf1

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many of which are hosted on disposable domains or link farms, suggesting a malicious intent to redirect users to potentially harmful content. The primary URL, 'https://lozipotod.ru/strik?utm_term=install+hp+laserjet+p1102+without+cd', indicates a lure related to installing printer drivers. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://lozipotod.ru/strik?utm_term=install+hp+laserjet+p1102+without+cd PDF link annotation
- https://nanuvofekoredam.weebly.com/uploads/1/3/5/3/135385966/4392222.pdfIn PDF document text
- http://scarcebook.com/33619571135jsq6l.pdfIn PDF document text
- https://gipurafesab.weebly.com/uploads/1/3/1/6/131637457/mofedodova.pdfIn PDF document text
- http://cabinetshub.xyz/hp_officejet_6700_premium_spare_partspazqa.pdfIn PDF document text
- https://vobogokofudukig.weebly.com/uploads/1/3/0/7/130775751/e1a4cfc5055398.pdfIn PDF document text
- https://xikobidena.weebly.com/uploads/1/3/6/0/136097244/bowusub-lobinasazolo-movipajujipo.pdfIn PDF document text
- http://pomirkapa.site/49876027362hpq5b.pdfIn PDF document text
- https://tatilimaju.weebly.com/uploads/1/3/4/4/134464449/pisifatagix.pdfIn PDF document text
- https://gamajebijapam.weebly.com/uploads/1/3/1/8/131856653/32c62.pdfIn PDF document text
- http://laithub.pro/stihl_fs_130_parts_manuali94ai.pdfIn PDF document text
- https://mojivisosodarez.weebly.com/uploads/1/3/4/0/134096231/a1ba057.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://45ed8376-e832-497f-ab20-0a31924dc5db.filesusr.com/ugd/4b7290_ea944e539e6843878779a5b522c6cb52.pdf?index=trueIn PDF document text
- https://0108a07e-94d6-443d-bfa7-575dd38852ad.filesusr.com/ugd/756a01_6d6960402b1546f9abb418202969b235.pdf?index=trueIn PDF document text
- https://e9abb47e-19e5-4ec2-9f3c-2aa4e6f2bf0a.filesusr.com/ugd/92be99_11a3bb56de814c89a6c878eefc3e4a91.pdf?index=trueIn PDF document text
- https://6184de0c-c318-42a7-882e-c5ddc63b817d.filesusr.com/ugd/1c8c1e_e4df5d383b33468888cf1751e1b4375d.pdf?index=trueIn PDF document text
- https://e301b21f-f707-426c-a094-6199d4b1a2d6.filesusr.com/ugd/f65518_8e5495536e0d4e13a5b953f66881c2f1.pdf?index=trueIn PDF document text
- https://83662c7a-80c1-4e94-b5a4-3df479670d58.filesusr.com/ugd/27be29_9f0d80f96c0a4c7c889c45d7279cfc56.pdf?index=trueIn PDF document text
- https://f5f74d4f-f804-4d9b-9bfa-9964b2756261.filesusr.com/ugd/e389b3_fdab5b12a6f04e49b1fb248831d3d0d3.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f145.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF145	5476 bytes
SHA-256: `91dba25a0970d5e86cdf1cec30e4634ed99964e0c5097521db7378fb70cf3348`
`font_01_sfnt_off000103dc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x103DC	10912 bytes
SHA-256: `97f153119ee76ed56d5361dfe4e6efe6232e60c5fc1e8b6e875af0fa07fc29c3`
`font_02_sfnt_off000128f6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x128F6	4324 bytes
SHA-256: `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`

Open this report in the interactive analyzer, or submit your own file for analysis.