PDF malware analysis — malicious · 77a7069a6d29d022

MALICIOUS

PDF

79.1 KB Created: 2021-05-13 08:57:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7032a89c51c2577d75c339e4c0ecd162 SHA-1: 7cb714f2bb9632e6e2d6ced5b62fc45956c7802a SHA-256: 77a7069a6d29d02235ae494afd956341ce3858b985467d09e48939422fc491c8

226 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious content. The 'SE_PAYMENT_REDIRECT_LURE' heuristic indicates the document's content is designed to trick users into believing there are new or changed banking instructions, a common tactic in business email compromise attacks.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 7

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE

Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dugedepap.ru/strik?utm_term=how+to+adjust+mini+fridge+temperature
- https://mututekabifu.weebly.com/uploads/1/3/4/4/134466573/pimogaguwesefut.pdf
- http://zomoxesami.22web.org/vomakozigodezulekiva.pdf
- https://static.s123-cdn-static.com/uploads/4465396/normal_6002090c7b8dc.pdf
- https://static.s123-cdn-static.com/uploads/4369173/normal_6001088e78b2e.pdf
- https://pokuzasovud.weebly.com/uploads/1/3/4/1/134108684/fufawar.pdf
- https://wifadesar.weebly.com/uploads/1/3/5/3/135345928/wezefa_rizimoxit_mujokusesi.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- http://tewimovonuwakag.rf.gd/67956154577.pdf
- https://uploads.strikinglycdn.com/files/3e7b504e-d155-4a17-ab44-7fb83024eead/quadratic_simultaneous_equation_solver_with_steps.pdf
- https://acfcda0b-1795-4b40-aedc-9a0bc13047ce.filesusr.com/ugd/89c6ad_4e0327258f7e4cab840a1f80ae177c07.pdf?index=true
- http://gelidug.epizy.com/94068143725.pdf
- https://uploads.strikinglycdn.com/files/48ec28d5-2494-4498-a023-c0cc929e149b/why_is_the_setting_important_in_a_play.pdf
- https://3ae4d138-4ba3-4962-98fb-1b98b40a6a82.filesusr.com/ugd/38062a_9e95c3273183492787b1372136a4721a.pdf?index=true
- http://pegalisijeg.epizy.com/xufoduzasuneredaliwo.pdf
- https://5fb42ee6-a9be-400a-98f2-f9d4b9f720c8.filesusr.com/ugd/1813b3_d2e5b6cd0051476fac613f8d4d6456a4.pdf?index=true
- https://3e1af3dc-cf37-4f58-935d-0a6065bc5ce9.filesusr.com/ugd/3ca236_d3794cb9e7124641995326ef3a978ab3.pdf?index=true
- https://3ecb585b-79b8-4502-8567-d9a17299c5c1.filesusr.com/ugd/4b874d_24d33b85e1c44f008ae0bd3ff4ffe54e.pdf?index=true
- http://fipomazuwasa.epizy.com/juvolamutugoxexatakegot.pdf
- https://uploads.strikinglycdn.com/files/38ac0ae2-05fd-49b0-9a9a-9610d80752fe/33065621696.pdf
- https://uploads.strikinglycdn.com/files/5677e587-b4d0-4d1b-9015-3312db46f428/ziwakabuwubojewuxovipu.pdf
- https://f18b8dc1-3ce9-44bd-8712-01435d039869.filesusr.com/ugd/b97cba_d468b15b9003421691c4ffd435ac9f2e.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e8be.bin` `f5f9f2886af2b908bf073b70034ef6863b0eed2e5f48396ba660894309652758`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE8BE	5340 bytes
`font_01_sfnt_off0000fae4.bin` `e69f8939c5d2da084d63b735c23babed92be515ce96cb530cf284b788680df21`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFAE4	11284 bytes
`font_02_sfnt_off00012126.bin` `a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12126	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.