PDF malware analysis — malicious · 7623b2a2344b632b

MALICIOUS

PDF

77.8 KB Created: 2021-04-23 15:28:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14

MD5: dbeac472fbd4218eb76a9f3d3be164dd SHA-1: d7ebff84b05abd4da30a6564954eb58808faf1ec SHA-256: 7623b2a2344b632b9e0687ce5cb384eecee984e455eb5dfe4e959f58bbb0919b

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or phishing operation. The document body, though heavily obfuscated, contains references to search terms and PDF generation tools, reinforcing the idea of a lure to external content.

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://zajinet.ru/strik?utm_term=what+is+landscaping+in+spanish PDF link annotation
- https://cdn.sqhk.co/rinugezig/kjdjcji/bajaj_pulsar_150_sales_figures.pdfIn PDF document text
- https://cdn.sqhk.co/worijekegir/herihhb/8974364429.pdfIn PDF document text
- http://baltika-trans.com/nuwokkzu2z.pdfIn PDF document text
- http://wikotimu.scienceontheweb.net/bodam.pdfIn PDF document text
- https://luresigixake.weebly.com/uploads/1/3/5/2/135294948/sifozavenexozobe.pdfIn PDF document text
- http://fly-drive.online/hp_deskjet_9800_wide_formatb9a49.pdfIn PDF document text
- http://erkutungotu.com/56104888566x5ac2.pdfIn PDF document text
- https://tajurasexir.weebly.com/uploads/1/3/1/6/131606020/a7c841d6c646b9.pdfIn PDF document text
- https://cdn.sqhk.co/wexufenu/bArDMia/62988101627.pdfIn PDF document text
- https://cdn.sqhk.co/fogunivugame/eFhbsTG/little_alchemy_2_hints_unblocked.pdfIn PDF document text
- http://dream-stat.ru/sutuvefibqvon.pdfIn PDF document text
- https://kipakewetug.weebly.com/uploads/1/3/4/6/134606983/7709512.pdfIn PDF document text
- https://wimazuwog.weebly.com/uploads/1/3/0/7/130740080/jevijof-dawoxofuzeso-jeperowimara-jividigi.pdfIn PDF document text
- http://lefibipefazefep.mypressonline.com/44839818256.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://b7e73dfe-ad35-4791-b4f7-7500f5b7882c.filesusr.com/ugd/bc79a4_eda3a9f39dd442c789dbc179af6bf3a8.pdf?index=trueIn PDF document text
- http://gagugitebuf.atwebpages.com/65486714225.pdfIn PDF document text
- http://temodorofeg.atwebpages.com/factors_affecting_biogas_production.pdfIn PDF document text
- https://s3.amazonaws.com/tugumeb/fagojijugaxexezosaz.pdfIn PDF document text
- https://s3.amazonaws.com/mexesazaxasa/97285708511.pdfIn PDF document text
- https://305aa2e3-e1d2-413d-aa2e-f1bb83d03ded.filesusr.com/ugd/92ee2b_60f2b0b91656477691bc49e61bbfd925.pdf?index=trueIn PDF document text
- https://b5b764bc-4fc6-48d7-9a4b-423a4d05f225.filesusr.com/ugd/3f2390_10ccace09a3543cdb3ad714b32a84c5f.pdf?index=trueIn PDF document text
- https://e60c805d-b9e1-47fc-b045-983511e9ac1f.filesusr.com/ugd/116bb2_7ab0f2cb932844cea3c0c566af22f729.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f057.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF057	5252 bytes
SHA-256: `fc1dcc1ad94222bafe6245ba2e386a9f72708236639013e393771a4f9729602e`
`font_01_sfnt_off00010244.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10244	11908 bytes
SHA-256: `635963a98d7d50e122c09c241a59f19354f2396c8c4efa1f30119c06368b88ea`

Open this report in the interactive analyzer, or submit your own file for analysis.