PDF malware analysis — malicious · 74b41cc54e6cc8f7

MALICIOUS

PDF

75.2 KB Created: 2021-05-12 05:12:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d09736d7de0c82cf9f83702c05bef6f4 SHA-1: 3a120d07b81bcfd87f5517047f75e3a58c5344a4 SHA-256: 74b41cc54e6cc8f7603b7100d8418759c0b8f0e75949ecf952ab09351d835791

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, many of which point to disposable hosting and are used in a link farm pattern, indicating a phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. The document body, though heavily obfuscated, appears to be a lure related to legal documents, likely to trick users into clicking the malicious links.

Machine Learning

Nyx PDF Classifier malicious score 0.8022

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xezojetit.ru/strik?utm_term=sample+answer+to+complaint+with+affirmative+defenses+texas
- https://cdn.sqhk.co/sesijisova/giitHOh/spotify_kids_app.pdf
- http://onsideball.info/indian_army_betab8wz7.pdf
- https://sopunarexij.weebly.com/uploads/1/3/1/8/131857112/f3791e579b01b.pdf
- http://justiciaforjustice.com/nuvimojosotepitugijitplixm.pdf
- https://dafalozurevibi.weebly.com/uploads/1/3/4/3/134308304/79946.pdf
- http://daravto18.ru/tawonabikozajori07xy1.pdf
- https://ribofefafuf.weebly.com/uploads/1/3/4/7/134770843/mivevugomi.pdf
- http://rexevivejegox.scienceontheweb.net/11335728943.pdf
- http://lipexifinidoda.scienceontheweb.net/5597154650.pdf
- https://wuxurabe.weebly.com/uploads/1/3/4/6/134608123/lafewekirixoj.pdf
- https://davugunibelerab.weebly.com/uploads/1/3/4/6/134612729/dobaminogu_kejokogunek_nexisapana_dawutapiwem.pdf
- http://tronreserve.online/92117633340ap6mi.pdf
- https://cdn.sqhk.co/jawutuwek/grijgd4/matchington_mansion_false_ad.pdf
- http://whowill.ru/16599900684u06q0.pdf
- http://discount50it.pro/informacion_textual_proposiciones_erroneas4wayj.pdf
- http://opensalon.xyz/actiontec_c1000a_admin_passwordlzko3.pdf
- http://fotubobuwenapu.scienceontheweb.net/88681710107.pdf
- https://cdn.sqhk.co/wudawagirus/gq4iec9/oscar_health_insurance_reviews_yelp.pdf
- http://sweetmeet.online/manual_del_conductor_2019_gratismad90.pdf
- http://bcpzon4segurabetaviabcp.com/kamusigagarukzl8ew.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://majezomisi.myartsonline.com/80505781131.pdf
- http://tizerusop.rf.gd/farm_machinery_management.pdf
- http://jiwuboro.epizy.com/10321506379.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fd6e.bin` `d7621ea6b1b48aa13ae68d276964234d888f9f81c3d0b34cbc9919a75db894ad`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFD6E	5716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.