PDF malware analysis — malicious · 77c95a8bd9db7603

MALICIOUS

PDF

78.9 KB Created: 2021-03-15 08:05:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-17

MD5: 074bd039165ab19f8ecb532798d1b62f SHA-1: 6133eccca505e41cb7ffbbdf7d444b33590b465d SHA-256: 77c95a8bd9db7603698b8b4ca4e6bcdb800c5f2d4f6140dd8338da4698829d50

194 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains numerous external links, many hosted on disposable domains, suggesting a link farm designed to attract traffic. The document body and embedded URLs indicate a lure for movie downloads, which is a common tactic for distributing malware. The ClamAV detection and ML classifier strongly indicate malicious intent, likely involving the exploitation of PDF vulnerabilities to execute a payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nipisod.ru/wix?keyword=the+mortal+instruments+full+movie+download+in+hindi+480p PDF link annotation
- https://cdn-cms.f-static.net/uploads/4488842/normal_6010ef8ccab26.pdfIn PDF document text
- http://justiciaforjustice.com/jolawavepemasokupojxjzo1.pdfIn PDF document text
- http://baffer-shop.space/balochistan_issue_and_its_solutionxjpk6.pdfIn PDF document text
- http://rowexusaje.mypressonline.com/29740295203.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416938/normal_604dc76f82b52.pdfIn PDF document text
- http://fisareboveda.getenjoyment.net/nefokiwefelelukojaragutam.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476148/normal_60485aac558ca.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4505102/normal_601b51a73ac33.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4392857/normal_60417504ce53a.pdfIn PDF document text
- https://cdn.sqhk.co/zaviresodew/g0kiegi/69606772564.pdfIn PDF document text
- http://blaugrana.ru/sony_alpha_a6500_detailsldsph.pdfIn PDF document text
- https://cdn.sqhk.co/mizosamox/gfFjjs7/my_earthlink_login.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4502833/normal_6031493c29a9b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4495385/normal_5ffd4ea498ca1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4486053/normal_5fe6f4801bf96.pdfIn PDF document text
- http://namedaun.fun/siwadafolumizidogevabyn2l.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://tiluxusimutine.atwebpages.com/duvuxuwoxom.pdfIn PDF document text
- https://f867c6cd-7aae-4938-a634-6821dcb48262.filesusr.com/ugd/eb45fa_a4d262c74271484597ace2382c125256.pdf?index=trueIn PDF document text
- https://76df98a8-3e94-4eee-a6f5-23e1de06049b.filesusr.com/ugd/54c74c_e6e3ce252f3b4fa09083c70c6936d97e.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f50c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF50C	5808 bytes
SHA-256: `7d939a7ef2e167cfa824261f093d596c0b8c9ceb748f57d071015e9f170f5c43`
`font_01_sfnt_off000108bb.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x108BB	10908 bytes
SHA-256: `7bdccb5dd26eb5ee79215317c916462a69038550872a4679ac79bfcd055a62d8`

Open this report in the interactive analyzer, or submit your own file for analysis.