PDF malware analysis — malicious · 75e33dc020bfc155

MALICIOUS

PDF

80.6 KB Created: 2021-03-14 20:46:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21

MD5: 04fdc1c58cfe613a15a3bb5a5dac333b SHA-1: 7707e6dc79fe845f5a515b5cf7f6341f64a0402c SHA-256: 75e33dc020bfc1554c32d871faab7e4c5826f0c724cf3320f1984cee8db54861

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was identified as malicious by multiple heuristics and a machine learning classifier. It functions as a link farm, containing numerous external URLs, with a significant number pointing to disposable hosting. The primary purpose appears to be directing users to potentially malicious or phishing content, consistent with a spearphishing attachment attack vector.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://kuzutuzo.ru/strik?utm_term=image+10.0+treadmill+key PDF link annotation
- https://wojaginobaxap.weebly.com/uploads/1/3/1/8/131857211/783354ec.pdfIn PDF document text
- http://tifimazupidad.iblogger.org/mizuvurebixigisabule.pdfIn PDF document text
- http://riwuveroxuwox.66ghz.com/89829083077.pdfIn PDF document text
- https://nelixifejesuvol.weebly.com/uploads/1/3/1/4/131406681/8297c70f3d.pdfIn PDF document text
- https://bitoxusimafitaj.weebly.com/uploads/1/3/4/3/134311342/2473810.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://naperopumo.rf.gd/povalarumajuxux.pdfIn PDF document text
- https://31c8a3d4-0132-49f1-a04f-09c79d03e01f.filesusr.com/ugd/a4da84_4eae8aabda9c469dbf84aa0ce9a899fe.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/37e036f8-0be1-4e97-b568-882103ddc6e8/funobinajeran.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/955b1a5e-141f-4752-af08-6b1b89dc61dd/budifufalori.pdfIn PDF document text
- https://2061f665-9309-41a6-981d-137229ee7e60.filesusr.com/ugd/eb2fe6_b3f428bf755e432199d102fa1aae8c61.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/98057437-3817-47b8-899c-0378e97f78df/jozobulilim.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a6a7b6ca-7d08-4d6c-a452-27ffc98d7c97/17181348511.pdfIn PDF document text
- https://48b7024d-7414-4593-b44d-ed892b96ad15.filesusr.com/ugd/3e5db3_3b38a3b80b964811a66b2faae498aa23.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/2ad674fb-f0b7-4f77-92f6-eb12dfc5532c/wakenodunanusitedegorafo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/debfe624-96ac-452a-b32f-5ad0b103ce3b/tapekinosig.pdfIn PDF document text
- https://6363ce23-9394-4102-a476-7be320345719.filesusr.com/ugd/7c41c1_5cdd00c154a848b7b66a3ddb7fd09e72.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/0605eb54-ecb8-4852-80a5-43c99ccc662c/toret.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/23cb3c8b-b94e-4006-8956-37d6cbdfff17/86686986568.pdfIn PDF document text
- http://binalidagu.epizy.com/best_bible_study_guide_for_beginners.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fcb9.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFCB9	5296 bytes
SHA-256: `cf18eace6c6ba0902bcdf02ffe0c20304e6c6c3a736df2ceac1f4c9467188447`
`font_01_sfnt_off00010eb4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10EB4	11376 bytes
SHA-256: `e26c09a93a5724903dabed18c739db76aec33cea2b7396c7cfbec6a0e768fa8b`

Open this report in the interactive analyzer, or submit your own file for analysis.